CVE-2025-22150: 
JavaScript vulnerability analysis and mitigation

CVE-2025-22150 affects the undici package for Node.js, discovered and disclosed on January 21, 2025. The vulnerability exists in versions 4.5.0 through 5.28.5, 6.0.0 through 6.21.1, and 7.0.0 through 7.2.3. The issue stems from the use of Math.random() to generate boundaries for multipart/form-data requests (GitHub Advisory).

The vulnerability occurs because undici uses Math.random() to choose the boundary for multipart/form-data requests. The output of Math.random() can be predicted if several of its generated values are known. The issue has been assigned a CVSS v3.1 score of 6.8 (Moderate) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N, indicating network vector attack with high complexity, no privileges required, and user interaction required (GitHub Advisory, Red Hat CVE).

If an application has a mechanism that sends multipart requests to an attacker-controlled website, the attacker can leak the necessary values to predict the random boundary values. This could allow an attacker to tamper with requests going to backend APIs under certain conditions, potentially compromising data confidentiality and integrity (GitHub Advisory).

The vulnerability has been fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, users are advised not to issue multipart requests to attacker-controlled servers. The fix implements crypto.randomInt() instead of Math.random() for generating boundary values (GitHub Advisory).

The vulnerability was initially identified through security research and reported through HackerOne. The Node.js team responded by implementing a more secure random number generation method using crypto.randomInt() (Security Evaluators).