CVE-2025-22150
📋 TL;DR
This vulnerability in Undici's multipart/form-data boundary generation allows attackers to predict and tamper with requests when an application sends multipart requests to attacker-controlled servers. It affects applications using Undici versions 4.5.0 through 5.28.4, 6.0.0 through 6.21.0, and 7.0.0 through 7.2.2. The issue stems from using predictable Math.random() for boundary generation instead of cryptographically secure random values.
💻 Affected Systems
- Undici HTTP client
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could tamper with multipart requests to backend APIs, potentially leading to data manipulation, injection attacks, or unauthorized actions depending on the API functionality.
Likely Case
Request tampering in applications that send multipart requests to external, attacker-controlled endpoints, potentially causing data integrity issues or limited API abuse.
If Mitigated
No impact if applications don't send multipart requests to untrusted servers or have proper input validation and request signing.
🎯 Exploit Status
Exploitation requires collecting Math.random() outputs from the target and having the application send multipart requests to attacker-controlled servers. Public research demonstrates the Math.random() prediction technique.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.28.5, 6.21.1, and 7.2.3
Vendor Advisory: https://github.com/nodejs/undici/security/advisories
Restart Required: Yes
Instructions:
1. Identify Undici version in package.json
2. Update to patched version: npm update undici@^5.28.5 or npm update undici@^6.21.1 or npm update undici@^7.2.3
3. Restart all Node.js applications using Undici
4. Verify update with npm list undici
🔧 Temporary Workarounds
Avoid multipart requests to untrusted servers
allPrevent sending multipart/form-data requests to external, untrusted servers that could be attacker-controlled.
🧯 If You Can't Patch
- Implement strict allowlisting for external endpoints that receive multipart requests from your application
- Add request signing or integrity checks for multipart requests to detect tampering
🔍 How to Verify
Check if Vulnerable:
Check package.json or run: npm list undici | grep undici@Check Version:
npm list undici | grep undici@Verify Fix Applied:
Verify version is 5.28.5+, 6.21.1+, or 7.2.3+ with: npm list undici📡 Detection & Monitoring
Log Indicators:
- Unusual multipart request patterns to external domains
- Failed multipart requests with boundary prediction errors
Network Indicators:
- Multipart requests to suspicious external domains
- Unusual boundary values in multipart requests
SIEM Query:
source="application_logs" AND (multipart_request AND external_domain) OR (boundary_prediction_error)🔗 References
- https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f
- https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113
- https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0
- https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a
- https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385
- https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975
- https://hackerone.com/reports/2913312
