undici: weak encryption in Math.random function (CVE-2025-22150) #shorts

Summary

On today's podcast, we're diving into CVE-2025-22150, a notable security vulnerability affecting the Undici HTTP client library used in Node.js environments. This issue arises from the use of non-cryptographically secure random values, presenting potential risk to data integrity.

Product details

The affected product here is Undici, an HTTP/1.1 client utilized extensively within Node.js applications. This vulnerability impacts specific versions of the library: those starting from 4.5.0 and going up to versions 5.28.4, 6.21.0, and 7.2.2.

Vulnerability type summary

The core of the issue is the CWE-330 classification, which pertains to the use of insufficiently random values. In this context, the Undici client improperly leverages the `Math.random()` function for generating multipart request boundaries, potentially allowing attackers to predict these values under certain conditions.

Details of the vulnerability

In detailed terms, the vulnerability makes it possible for an attacker to predict request boundaries if they can observe a series of values produced by `Math.random()`. This can be particularly problematic if an application makes multipart requests to an attacker-controlled server. Exploitation could lead to tampering with requests sent to backend APIs. For mitigation, users should upgrade to Undici versions 5.28.5, 6.21.1, or 7.2.3, where this issue has been addressed.

Conclusion

In conclusion, CVE-2025-22150 highlights the potential risks associated with non-secure random number generation for critical functions in web clients. It's crucial for developers relying on the Undici library to update to the latest patches to secure their applications against potential exploits targeting this vulnerability.

Watch the full video on YouTube: CVE-2025-22150

Remediation and exploitation details

This chain involves the following actors

This following systems are involved

Attack entry point

Remediation actions

Exploitation actions

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2025-22150
Description
Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.
Provider
GitHub_M
CWE / problem types
CWE-330: Use of Insufficiently Random Values
Affected Software Versions
nodejs:undici:[{'version': '>= 4.5.0, < 5.28.5', 'status': 'affected'}, {'version': '>= 6.0.0, < 6.21.1', 'status': 'affected'}, {'version': '>= 7.0.0, < 7.2.3', 'status': 'affected'}]
Date Published
2025-01-21T17:46:58.872Z
Last Updated
2025-02-12T20:41:22.041Z