Last Week in AppSec for 29. July 2025

This Checkmarx weekly AppSec roundup highlights two notable vulnerabilities: an SQL injection in the Go IoT analytics package 'ekuiper' (CVE-2025-54379) that can enable destructive SQL operations and is especially problematic to patch on edge IoT deployments, and an insufficient-randomness issue in the transitive 'form-data' dependency used by axios (with a published PoC) that can allow attacker control of form data. The post urges updating to patched versions (e.g., axios >= 1.11.0 or form-data 4.0.4) and underscores the operational complexity of managing transitive dependencies and IoT vulnerability remediation.