6.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-22150

GHSA ID

GHSA-c76h-2ccp-4975

EPSS Score

0.10323%

CWE

CWE-330

Published

1/21/2025

Updated

1/22/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-22150

CVE-2025-22150: Use of Insufficiently Random Values in undici

Impact

Undici fetch() uses Math.random() to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known.

If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, An attacker can tamper with the requests going to the backend APIs if certain conditions are met.

Patches

This is fixed in 5.28.5; 6.21.1; 7.2.3.

Workarounds

Do not issue multipart requests to attacker controlled servers.

References

https://hackerone.com/reports/2913312
https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f

(GitHub Advisory)

6.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-22150

GHSA ID

GHSA-c76h-2ccp-4975

EPSS Score

0.10323%

CWE

CWE-330

Published

1/21/2025

Updated

1/22/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
undici	npm	>= 4.5.0, < 5.28.5	5.28.5
undici	npm	>= 6.0.0, < 6.21.1	6.21.1
undici	npm	>= 7.0.0, < 7.2.3	7.2.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure random number generation for multipart boundaries. The commit diff shows the boundary generation in extractBody() originally used Math.random() (CWE-330). The line const boundary = ...Math.random()... in body.js was identified as vulnerable in multiple references (HackerOne report, NVD description). The patch replaces Math.random() with crypto.randomInt, confirming this was the vulnerable code path. The function's role in generating security-sensitive boundaries and direct use of non-cryptographic RNG makes it the clear vulnerability source.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t [Un*i*i `**t**()` us*s M*t*.r*n*om()](*ttps://*it*u*.*om/no**js/un*i*i/*lo*/****************************************/li*/w**/**t**/*o*y.js#L***) to **oos* t** *oun**ry *or * multip*rt/*orm-**t* r*qu*st. It is known t**t t** output o* M*t*

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* r*n*om num**r **n*r*tion *or multip*rt *oun**ri*s. T** *ommit *i** s*ows t** *oun**ry **n*r*tion in *xtr**t*o*y() ori*in*lly us** M*t*.r*n*om() (*W*-***). T** lin* `*onst *oun**ry = ...M*t*.r*n*om()...` in *o*y.j

6.8

Basic Information

Concerned about an active attack path?

CVE-2025-22150: Use of Insufficiently Random Values in undici

Impact

Patches

Workarounds

References

6.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI