CVE-2025-22150 Overview
A vulnerability has been identified in Undici, a popular HTTP/1.1 client for Node.js, where the use of Math.random() for generating multipart/form-data boundaries introduces a security weakness. Since Math.random() produces predictable output when several generated values are known, attackers who can collect boundary values from multipart requests may be able to predict future boundaries. This could allow request tampering against backend APIs if an application sends multipart requests to attacker-controlled servers.
Critical Impact
Attackers can potentially predict multipart form-data boundaries and tamper with HTTP requests to backend APIs, compromising data integrity and confidentiality.
Affected Products
- Undici versions 4.5.0 through 5.28.4
- Undici versions 6.0.0 through 6.21.0
- Undici versions 7.0.0 through 7.2.2
Discovery Timeline
- 2025-01-21 - CVE CVE-2025-22150 published to NVD
- 2025-01-21 - Last updated in NVD database
Technical Details for CVE-2025-22150
Vulnerability Analysis
This vulnerability stems from Undici's use of Math.random() for generating boundary strings in multipart/form-data HTTP requests. The JavaScript Math.random() function is not cryptographically secure—it uses a pseudorandom number generator (PRNG) whose internal state can be reconstructed if an attacker observes enough output values.
In scenarios where an application sends multipart requests to external servers (including potentially attacker-controlled endpoints), the boundary values become observable. An attacker collecting multiple boundary strings can reverse-engineer the PRNG state and predict future boundary values. With knowledge of upcoming boundaries, the attacker could craft malicious payloads that exploit the predictable boundary to inject or modify data in requests destined for legitimate backend APIs.
The attack requires specific conditions: the victim application must send multipart requests to attacker-controlled infrastructure, and the attacker must collect sufficient boundary values to predict the PRNG state. Despite these prerequisites, the potential for request tampering affecting data integrity and confidentiality makes this a significant concern for applications using affected Undici versions.
Root Cause
The root cause is classified as CWE-330: Use of Insufficiently Random Values. The vulnerable code in lib/web/fetch/body.js used Math.random() directly for boundary generation, which provides only pseudorandom values unsuitable for security-sensitive operations. Cryptographic contexts require the use of cryptographically secure random number generators (CSPRNGs) such as Node.js's crypto.randomInt().
Attack Vector
The attack vector is network-based and requires user interaction. An attacker must first establish a mechanism to receive multipart requests from the target application—typically by tricking the application or its users into sending requests to attacker-controlled servers. Once boundary values are collected, the attacker analyzes them to predict the PRNG state. With this knowledge, the attacker can predict boundaries in subsequent requests and potentially tamper with legitimate API communications.
The attack complexity is high due to the requirement of collecting multiple random values and successfully predicting the PRNG state, but sophisticated attackers with access to boundary values can execute this attack.
// Security patch in lib/web/fetch/body.js - Backport of c2d78cd
// Source: https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0
const { File: UndiciFile } = require('./file')
const { parseMIMEType, serializeAMimeType } = require('./dataURL')
+let random
+try {
+ const crypto = require('node:crypto')
+ random = (max) => crypto.randomInt(0, max)
+} catch {
+ random = (max) => Math.floor(Math.random(max))
+}
+
let ReadableStream = globalThis.ReadableStream
/** @type {globalThis['File']} */
Detection Methods for CVE-2025-22150
Indicators of Compromise
- Unusual patterns of multipart/form-data requests from application servers to external or unknown endpoints
- High volumes of outbound HTTP requests containing multipart boundaries to suspicious destinations
- Evidence of data exfiltration or request interception in backend API logs
Detection Strategies
- Audit application dependencies to identify Undici versions between 4.5.0 and the patched releases (5.28.5, 6.21.1, 7.2.3)
- Monitor network traffic for multipart requests to untrusted or attacker-controlled domains
- Implement Software Composition Analysis (SCA) tools to flag vulnerable Undici versions in your codebase
Monitoring Recommendations
- Enable logging for all outbound HTTP requests from Node.js applications, particularly those containing multipart/form-data content
- Implement egress filtering to restrict applications from making requests to unknown external servers
- Use application-level monitoring to detect unexpected HTTP client behavior patterns
How to Mitigate CVE-2025-22150
Immediate Actions Required
- Upgrade Undici to patched versions: 5.28.5, 6.21.1, or 7.2.3 depending on your major version
- Audit your application to identify any code paths that send multipart requests to external or user-controlled URLs
- Implement network egress controls to prevent applications from communicating with untrusted servers
Patch Information
The vulnerability has been fixed in Undici versions 5.28.5, 6.21.1, and 7.2.3. The patch replaces the insecure Math.random() call with crypto.randomInt() from Node.js's cryptographic module, ensuring cryptographically secure boundary generation. The fix includes a fallback to Math.random() only in environments where the crypto module is unavailable.
For detailed patch information, see the GitHub Security Advisory and the HackerOne Vulnerability Report.
Workarounds
- Avoid sending multipart/form-data requests to attacker-controlled or untrusted servers
- Implement strict URL allowlisting for any outbound HTTP requests from your application
- Consider implementing a proxy layer that validates and controls outbound request destinations
# Upgrade Undici to patched version
npm update undici
# Or install specific patched versions
npm install undici@5.28.5
npm install undici@6.21.1
npm install undici@7.2.3
# Verify installed version
npm list undici
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
