CVE-2025-22150

Name of the Vulnerable Software and Affected Versions undici versions 4.5.0 through 5.28.4 undici versions 4.5.0 through 6.21.0 undici versions 4.5.0 through 7.2.2

Description The issue arises from undici using Math.random() to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met.

Recommendations For undici versions 4.5.0 through 5.28.4, update to version 5.28.5 or later. For undici versions 4.5.0 through 6.21.0, update to version 6.21.1 or later. For undici versions 4.5.0 through 7.2.2, update to version 7.2.3 or later. As a temporary workaround, do not issue multipart requests to attacker-controlled servers.