CVE-2025-22150 is an important security vulnerability discovered in the Undici HTTP/1.1 client. This client library is widely used for making HTTP/1.1 requests in applications. The issue arises in Undici version 4.5. and prior to versions 5.28.5, 6.21.1, and 7.2.3. The vulnerability exists due to the use of Math.random() function for generating the boundary in multipart/form-data requests.

Undici uses the following code to choose the boundary for a multipart/form-data request

boundary += Math.random().toString(16)
.subtring(2)
.slice(, BOUNDARY_LENGTH >> 2);

Here, Undici relies on Math.random() to generate the boundary, which is a crucial aspect of a multipart request. However, it is widely known that the output of Math.random() can be predicted if several of its generated values are known [^1^].

In the given scenario, if there is a mechanism in an application that sends multipart requests to an attacker-controlled website, the attacker can exploit this vulnerability by leaking the necessary values of Math.random(). This exploit can allow the attacker to tamper with the requests going to the backend APIs if certain conditions are met.

Impacted Versions

Undici versions 4.5. to 5.28.4, 6.. to 6.21., and 7.. to 7.2.2 are affected by this vulnerability. The vulnerabilities are patched in versions 5.28.5, 6.21.1, and 7.2.3.

Solution and Remediation

Users of the affected Undici versions are advised to update to versions 5.28.5, 6.21.1, or 7.2.3 immediately. The updated versions contain a fix for the vulnerability.

As a workaround, users should avoid issuing multipart requests to attacker-controlled servers until the fix is applied.

References

[^1^]: _Predicting Values of Math.random()_: https://security.stackexchange.com/questions/235796/can-a-series-of-typical-js-random-numbers-reveal-anything-about-system-randomne

[^2^]: _Undici GitHub Repository (including release notes)_: https://github.com/nodejs/undici

[^3^]: _NPM Package Page for Undici_: https://www.npmjs.com/package/undici

Timeline

Published on: 01/21/2025 18:15:14 UTC