CVE-2025-22150
January 21, 2025
Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses "Math.random()" to choose the boundary for a multipart/form-data request. It is known that the output of "Math.random()" can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.
Affected Packages
undici (NPM):
Affected version(s) >=6.0.0 <6.21.1Fix Suggestion:
Update to version 6.21.1undici (NPM):
Affected version(s) >=4.5.0 <5.28.5Fix Suggestion:
Update to version 5.28.5undici (NPM):
Affected version(s) >=7.0.0 <7.2.3Fix Suggestion:
Update to version 7.2.3Additional Notes
The description of this vulnerability differs from MITRE.
Related ResourcesĀ (9)
Do you need more information?
Contact UsCVSS v4
Base Score:
7.6
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.8
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Use of Insufficiently Random Values
EPSS
Base Score:
0.2
