CVE-2025-22150

Name
CVE-2025-22150
Description
Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f
MISC https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113
MISC https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0
MISC https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a
MISC https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385
CONFIRM https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975
MISC https://hackerone.com/reports/2913312

Match rules

CPE URI Source package Min version Max version
undici >= 4.5.0 < 5.28.5
undici >= 6.0.0 < 6.21.1
undici >= 7.0.0 < 7.2.3

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
nodejs edge-main 22.13.1-r0 Jakub Jirutka <jakub@jirutka.cz> fixed
nodejs 3.22-main 22.13.1-r0 None fixed
nodejs 3.21-main 22.13.1-r0 Jakub Jirutka <jakub@jirutka.cz> fixed