CVE-2025-22150: Undici Uses Insufficiently Random Values
First published: Tue Jan 21 2025(Updated: )
### Impact [Undici `fetch()` uses Math.random()](https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113) to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, An attacker can tamper with the requests going to the backend APIs if certain conditions are met. ### Patches This is fixed in 5.28.5; 6.21.1; 7.2.3. ### Workarounds Do not issue multipart requests to attacker controlled servers. ### References * https://hackerone.com/reports/2913312 * https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| npm/undici | >=7.0.0<7.2.3 | 7.2.3 |
| npm/undici | >=6.0.0<6.21.1 | 6.21.1 |
| npm/undici | >=4.5.0<5.28.5 | 5.28.5 |
| Node.js | >=4.5.0<5.28.5>=5.28.5<6.21.1>=6.21.1<7.2.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975
- https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0
- https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a
- https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385
- https://hackerone.com/reports/2913312
- https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f
- https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113
- https://nvd.nist.gov/vuln/detail/CVE-2025-22150
- https://github.com/advisories/GHSA-c76h-2ccp-4975 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2025-22150?
CVE-2025-22150 has a severity level that denotes potential risks associated with predictable boundaries in multipart/form-data requests.
How do I fix CVE-2025-22150?
To fix CVE-2025-22150, update the Undici package to version 7.2.3, 6.21.1, or 5.28.5.
What versions are affected by CVE-2025-22150?
CVE-2025-22150 affects Undici versions from 4.5.0 to 7.2.3, including several intermediary versions.
What issue does CVE-2025-22150 highlight regarding randomness?
CVE-2025-22150 highlights that the use of Math.random() in Undici can lead to predictable values, which may compromise security.
Is CVE-2025-22150 specific to a programming language?
Yes, CVE-2025-22150 specifically affects the Node.js ecosystem where the Undici package is utilized for HTTP requests.
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/title
- agent/type
- agent/first-publish-date
- collector/nvd-api
- source/NVD
- agent/severity
- collector/nvd-cve
- agent/references
- agent/author
- agent/description
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-c76h-2ccp-4975
- alias/CVE-2025-22150
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/source
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/event
- agent/softwarecombine
- agent/tags
- collector/github-advisory
- agent/guess-ai
- agent/software-canonical-lookup-request
- package-manager/npm
- vendor/node.js
- canonical/node.js