Description
Undici fetch() uses Math.random() to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known.
If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values.
Recommendation
Update the undici package to the latest compatible version. Followings are version details:
Affected version(s): **>= 7.0.0, < 7.2.3 >= 6.0.0, < 6.21.1 >= 4.5.0, < 5.28.5** Patched version(s): **7.2.3 6.21.1 5.28.5**
References
- GHSA-c76h-2ccp-4975
- hackerone.com
- blog.securityevaluators.com
- CVE-2025-22150
- CWE-330
- CAPEC-310
- OWASP 2021-A2
- OWASP 2021-A6
Related Issues
- counterpart vulnerable to prototype pollution - CVE-2025-57354
- undici Denial of Service attack via bad certificate data - CVE-2025-47279
- Parse Server has an OAuth login vulnerability - CVE-2025-30168
- Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline - CVE-2024-30260
- Tags:
- npm
- undici
Anything's wrong? Let us know Last updated on January 22, 2025