Description
Undici fetch() uses Math.random() to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known.
If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values.
Recommendation
Update the undici package to the latest compatible version. Followings are version details:
Affected version(s): **>= 7.0.0, < 7.2.3 >= 6.0.0, < 6.21.1 >= 4.5.0, < 5.28.5** Patched version(s): **7.2.3 6.21.1 5.28.5**
References
- GHSA-c76h-2ccp-4975
- hackerone.com
- blog.securityevaluators.com
- CVE-2025-22150
- CWE-330
- CAPEC-310
- OWASP 2021-A2
- OWASP 2021-A6
Related Issues
- Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect - CVE-2024-30261
- counterpart vulnerable to prototype pollution - CVE-2025-57354
- Payload does not invalidate JWTs after log out - CVE-2025-4643
- undici Denial of Service attack via bad certificate data - CVE-2025-47279
- Tags:
- npm
- undici
Anything's wrong? Let us know Last updated on January 22, 2025