Description
Undici fetch() uses Math.random() to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known.
If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values.
Recommendation
Update the undici package to the latest compatible version. Followings are version details:
Affected version(s): **>= 7.0.0, < 7.2.3 >= 6.0.0, < 6.21.1 >= 4.5.0, < 5.28.5** Patched version(s): **7.2.3 6.21.1 5.28.5**
References
- GHSA-c76h-2ccp-4975
- hackerone.com
- blog.securityevaluators.com
- CVE-2025-22150
- CWE-330
- CAPEC-310
- OWASP 2021-A2
- OWASP 2021-A6
Related Issues
- Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values - CVE-2025-64765
- undici Denial of Service attack via bad certificate data - CVE-2025-47279
- Lightning Flow Scanner Vulnerable to Code Injection via Unsafe Use of `new Function()` in APIVersion Rule - CVE-2025-67750
- Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements - CVE-2025-12758
- Tags:
- npm
- undici
Anything's wrong? Let us know Last updated on January 22, 2025