CVE-2025-22150

CWE-3307 documents6 sources
Severity
6.8MEDIUM
EPSS
0.6%
top 30.40%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Nodejs Undici
Timeline
PublishedJan 21

Description

Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:NExploitability: 1.6 | Impact: 5.2

Affected Packages3 packages

npmundici4.5.05.28.5+2
Debiannode-undici< 7.3.0+dfsg1+~cs24.12.11-1+1
CVEListV5nodejs/undici>= 4.5.0, < 5.28.5, >= 6.0.0, < 6.21.1, >= 7.0.0, < 7.2.3+2

🔴Vulnerability Details

4
OSV
Use of Insufficiently Random Values in undici2025-01-21
GHSA
Use of Insufficiently Random Values in undici2025-01-21
OSV
CVE-2025-22150: Undici is an HTTP/12025-01-21
CVEList
Undici Uses Insufficiently Random Values2025-01-21

📋Vendor Advisories

2
Red Hat
undici: Undici Uses Insufficiently Random Values2025-01-21
Debian
CVE-2025-22150: node-undici - Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5....2025
CVE-2025-22150 (MEDIUM CVSS 6.8) | Undici is an HTTP/1.1 client | cvebase.io