CVE-2025-22150
Information Leak vulnerability in undici (npm)
What is CVE-2025-22150 About?
Undici's `fetch()` implementation uses `Math.random()` for multipart boundary generation, which is cryptographically weak and predictable if several values are known. An attacker can exploit this to leak boundary values and tamper with backend API requests if an app sends multipart requests to an attacker-controlled site. This vulnerability is moderately complex to exploit, requiring specific conditions.
Affected Software
- undici
- >6.0.0, <6.21.1
- >4.5.0, <5.28.5
- >7.0.0, <7.2.3
Technical Details
The vulnerability in Undici's fetch() implementation (specifically in lib/web/fetch/body.js) stems from its use of Math.random() to generate boundaries for multipart/form-data requests. Math.random() is not cryptographically secure, and its output can be predicted if a sufficient number of its generated values are observed. If an application sends multipart requests to an attacker-controlled website, the attacker can collect multiple Math.random() outputs by observing the generated boundaries. With this information, the attacker can then predict future boundaries. This predictability allows the attacker to craft valid multipart requests that mimic the application's expected format, potentially enabling them to tamper with sensitive requests intended for backend APIs, thereby bypassing security controls.
What is the Impact of CVE-2025-22150?
Successful exploitation may allow attackers to predict multipart boundaries, leading to request tampering, data manipulation, or unauthorized access to backend APIs.
What is the Exploitability of CVE-2025-22150?
Exploitation of this vulnerability has moderate complexity. It requires specific conditions: an application must be sending multipart requests to an attacker-controlled server, allowing the attacker to observe multiple Math.random() outputs used for boundaries. The attacker needs to collect enough generated values to predict future ones. No direct authentication or elevated privileges are required, beyond the ability for the vulnerable application to communicate with an attacker-controlled endpoint. This is generally a remote exploitation scenario. The key constraint and increasing risk factor is the application's behavior of sending multipart requests to untrusted destinations.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-22150?
Available Upgrade Options
- undici
- >4.5.0, <5.28.5 → Upgrade to 5.28.5
- undici
- >6.0.0, <6.21.1 → Upgrade to 6.21.1
- undici
- >7.0.0, <7.2.3 → Upgrade to 7.2.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2025-22150
- https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975
- https://hackerone.com/reports/2913312
- https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113
- https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a
- https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a
- https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f
- https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0
- https://github.com/nodejs/undici
- https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f
What are Similar Vulnerabilities to CVE-2025-22150?
Similar Vulnerabilities: CVE-2019-10086 , CVE-2018-8742 , CVE-2017-1000350 , CVE-2016-10769 , CVE-2016-5387
