CVE-2025-22150

EUVD-2025-0154
Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.8 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 70%
Debian logo
Debian Releases
Debian Product
Codename
node-undici
bookworm
no-dsa
bookworm (security)
vulnerable
forky
7.24.6+dfsg+~cs3.2.0-3
fixed
sid
7.24.6+dfsg+~cs3.2.0-3
fixed
trixie
7.3.0+dfsg1+~cs24.12.11-1
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
nodejs18
suse enterprise server 12 SP5
18.20.6-8.33.1
fixed
suse enterprise server 15 SP4
18.20.6-150400.9.33.1
fixed
suse enterprise server 15 SP5
18.20.6-150400.9.33.1
fixed
nodejs18-devel
suse enterprise server 12 SP5
18.20.6-8.33.1
fixed
suse enterprise server 15 SP4
18.20.6-150400.9.33.1
fixed
suse enterprise server 15 SP5
18.20.6-150400.9.33.1
fixed
nodejs18-docs
suse enterprise server 12 SP5
18.20.6-8.33.1
fixed
suse enterprise server 15 SP4
18.20.6-150400.9.33.1
fixed
suse enterprise server 15 SP5
18.20.6-150400.9.33.1
fixed
nodejs20
suse enterprise sap 15 SP6
20.18.2-150600.3.9.1
fixed
suse enterprise server 15 SP5
20.18.2-150500.11.18.1
fixed
suse enterprise server 15 SP6
20.18.2-150600.3.9.1
fixed
nodejs20-devel
suse enterprise sap 15 SP6
20.18.2-150600.3.9.1
fixed
suse enterprise server 15 SP5
20.18.2-150500.11.18.1
fixed
suse enterprise server 15 SP6
20.18.2-150600.3.9.1
fixed
nodejs20-docs
suse enterprise sap 15 SP6
20.18.2-150600.3.9.1
fixed
suse enterprise server 15 SP5
20.18.2-150500.11.18.1
fixed
suse enterprise server 15 SP6
20.18.2-150600.3.9.1
fixed
nodejs22
suse enterprise sap 15 SP6
22.13.1-150600.13.6.1
fixed
suse enterprise server 15 SP6
22.13.1-150600.13.6.1
fixed
nodejs22-devel
suse enterprise sap 15 SP6
22.13.1-150600.13.6.1
fixed
suse enterprise server 15 SP6
22.13.1-150600.13.6.1
fixed
nodejs22-docs
suse enterprise sap 15 SP6
22.13.1-150600.13.6.1
fixed
suse enterprise server 15 SP6
22.13.1-150600.13.6.1
fixed
npm18
suse enterprise server 12 SP5
18.20.6-8.33.1
fixed
suse enterprise server 15 SP4
18.20.6-150400.9.33.1
fixed
suse enterprise server 15 SP5
18.20.6-150400.9.33.1
fixed
npm20
suse enterprise sap 15 SP6
20.18.2-150600.3.9.1
fixed
suse enterprise server 15 SP5
20.18.2-150500.11.18.1
fixed
suse enterprise server 15 SP6
20.18.2-150600.3.9.1
fixed
npm22
suse enterprise sap 15 SP6
22.13.1-150600.13.6.1
fixed
suse enterprise server 15 SP6
22.13.1-150600.13.6.1
fixed
Common Weakness Enumeration
References
https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f
https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113
https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0
https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a
https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385
https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975
https://hackerone.com/reports/2913312