CVE-2025-22150: Use of Insufficiently Random Values in undici
Undici fetch() uses Math.random() to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known.
If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, An attacker can tamper with the requests going to the backend APIs if certain conditions are met.
References
- blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f
- github.com/advisories/GHSA-c76h-2ccp-4975
- github.com/nodejs/undici
- github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js
- github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0
- github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a
- github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385
- github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975
- hackerone.com/reports/2913312
- nvd.nist.gov/vuln/detail/CVE-2025-22150
Detect and mitigate CVE-2025-22150 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →