6.8

CVE-2025-22150

EPSS 0.61%
Veröffentlicht 21.01.2025 18:15:14
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Undici Uses Insufficiently Random Values

Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 10

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellernodejs

≫

Produkt undici

Version >= 4.5.0, < 5.28.5

Status affected

Version >= 6.0.0, < 6.21.1

Status affected

Version >= 7.0.0, < 7.2.3

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.61%	0.692

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	6.8	1.6	5.2	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE-330 Use of Insufficiently Random Values

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f

https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113

https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0

https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a

https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385

https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975

https://hackerone.com/reports/2913312

https://nvd.nist.gov/vuln/detail/CVE-2025-22150

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-22150

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-22150

EUVD