Qlik Sense and Vulnerability “CVE-2025-7783” in NPM Library form-data

Jamie_Gregory · Oct 2, 2025 10:14:08 AM

Qlik Sense and Vulnerability “CVE-2025-7783” in NPM Library form-data

In mid-July 2025, a vulnerability was disclosed in the NPM library form-data (GitHub Security Advisory). Qlik became aware of this issue through its standard Secure Development Lifecycle (SDL) processes.

Following an internal review, Qlik R&D and Security teams identified that potentially vulnerable versions of the form-data library were included in some installations of Qlik Sense Enterprise for Windows. However, due to the specific way Qlik utilizes this library, the conditions required for exploitation are not met.

Although the vulnerability was determined to be non-exploitable within Qlik Sense, customers who prefer to upgrade to a version that includes the patched form-data library can do so by installing one of the following releases:

May 2025 Patch 6
November 2024 Patch 18
May 2024 Patch 24

Note: An earlier version of this information was mistakenly published indicating that this CVE was directly related to Qlik Sense for Windows.

Thorsten_Grund · ‎2025-10-01

Good morning!

I noticed the “Published date” for May 2025 Patch 6 hasn’t changed—just checking: is that still the current version with the fix included?

Thanks so much!

jeremyseipel · ‎2025-10-01

Will there be a patch for November 2023, since i believe it is technically still covered under support?

steeefan · ‎2025-10-01

There is also a Patch 7 available for May 2025, released today (01.10.2025), that isn't mentioned in the release notes. It's almost doubel the size of Patch 6 (560mb compared to 293mb). What's that about?

salshute · ‎2025-10-01

I am also interested to know @steeefan and @Jamie_Gregory as we are planning on upgrading a major global client in a few hours

QlikRockStar · ‎2025-10-02

The Ministry of Information Security in Germany is still listing the CVE as critical - and this is where a lot of customers are watching. Warn- und Informationsdienst - Sicherheitshinweis At least the article is back online, but customers are confused. In addition the missing info about Patch 7. Is there a way to revoke the CVE?

steeefan · ‎2025-10-02

I noticed that Patch 7 is now listed in the release notes. What I don't understand is why this patch is all off a sudden twice the size of the previous one.

jseipel · ‎2025-10-02

For anyone with clients that have yet to upgrade to newer releases, I submitted a ticket to Qlik on this and got the following response about prior versions, specifically around November 2023.

----

Lewis Ongeri

Oct 2, 2025

Hello Jeremy,

Yes I checked that November 2023 is still supported until November 14, 2025. However, this I have checked with the development and security teams and unfortunately, they are no plans to backport changes to the older versions i.e. November 2023.

------

David_Friend · ‎2025-10-03

@steeefan

We understand this patch exceeds our standard update size. This is due to a fix addressing a core system component that is infrequently modified. Due to architectural dependencies, deploying changes to this component requires the inclusion of its complete file set, resulting in the larger-than-usual patch size.