GHSA-c76h-2ccp-4975

Source

https://github.com/advisories/GHSA-c76h-2ccp-4975

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-c76h-2ccp-4975/GHSA-c76h-2ccp-4975.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-c76h-2ccp-4975

Aliases

CVE-2025-22150

Published

2025-01-21T21:10:47Z

Modified

2025-01-21T21:26:52.766429Z

Severity

6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Use of Insufficiently Random Values in undici

Details

Impact

Undici fetch() uses Math.random() to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known.

If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, An attacker can tamper with the requests going to the backend APIs if certain conditions are met.

Patches

This is fixed in 5.28.5; 6.21.1; 7.2.3.

Workarounds

Do not issue multipart requests to attacker controlled servers.

References

https://hackerone.com/reports/2913312
https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f

Database specific

{
    "nvd_published_at": "2025-01-21T18:15:14Z",
    "cwe_ids": [
        "CWE-330"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-21T21:10:47Z"
}

References

Affected packages

npm / undici

Package

Name: undici; View open source insights on deps.dev
Purl: pkg:npm/undici

Affected ranges

Type: SEMVER
Events: Introduced

4.5.0

Fixed

5.28.5

npm / undici

Package

Name: undici; View open source insights on deps.dev
Purl: pkg:npm/undici

Affected ranges

Type: SEMVER
Events: Introduced

6.0.0

Fixed

6.21.1

npm / undici

Package

Name: undici; View open source insights on deps.dev
Purl: pkg:npm/undici

Affected ranges

Type: SEMVER
Events: Introduced

7.0.0

Fixed

7.2.3