MitM attack in Undici

1) Use of insufficiently random values

EUVDB-ID: #VU103227

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-22150

CWE-ID: CWE-330 - Use of Insufficiently Random Values

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to the application uses "Math.random()" from the fetch() function to choose the boundary for a "multipart/form-data" request. A remote attacker with ability to intercept traffic can tamper with the requests going to the backend APIs.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

undici: 4.5.0 - 7.2.2

CPE2.3

• cpe:2.3:a:nodejs:undici:4.5.0:*:*:*:*:nodejs:*:*
• cpe:2.3:a:nodejs:undici:4.5.1:*:*:*:*:nodejs:*:*
• cpe:2.3:a:nodejs:undici:4.6.0:*:*:*:*:nodejs:*:*

External links

https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f
https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113
https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0
https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a
https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385
https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975
https://hackerone.com/reports/2913312

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.