Headline
GHSA-c76h-2ccp-4975: Use of Insufficiently Random Values in undici
Impact
Undici fetch() uses Math.random() to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known.
If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, An attacker can tamper with the requests going to the backend APIs if certain conditions are met.
Patches
This is fixed in 5.28.5; 6.21.1; 7.2.3.
Workarounds
Do not issue multipart requests to attacker controlled servers.
References
- https://hackerone.com/reports/2913312
- https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f
Skip to content
Navigation Menu
GitHub Copilot
Write better code with AI
Security
Find and fix vulnerabilities
Actions
Automate any workflow
Codespaces
Instant dev environments
Issues
Plan and track work
Code Review
Manage code changes
Discussions
Collaborate outside of code
Code Search
Find more, search less
Explore
- Learning Pathways
- White papers, Ebooks, Webinars
- Customer Stories
- Partners
- Executive Insights
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
Enterprise platform
AI-powered developer platform
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-22150
Use of Insufficiently Random Values in undici
Moderate severity GitHub Reviewed Published Jan 21, 2025 in nodejs/undici • Updated Jan 21, 2025
Affected versions
>= 4.5.0, < 5.28.5
>= 6.0.0, < 6.21.1
>= 7.0.0, < 7.2.3
Patched versions
5.28.5
6.21.1
7.2.3
Description
Published to the GitHub Advisory Database
Jan 21, 2025
Last updated
Jan 21, 2025