-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
JavaScriptJavaScriptMiggo AIRoot Cause AnalysisThe vulnerability stems from insecure random number generation for multipart boundaries. The commit diff shows the boundary generation in extractBody() originally used Math.random() (CWE-330). The line const boundary = ...Math.random()... in body.js was identified as vulnerable in multiple references (HackerOne report, NVD description). The patch replaces Math.random() with crypto.randomInt, confirming this was the vulnerable code path. The function's role in generating security-sensitive boundaries and direct use of non-cryptographic RNG makes it the clear vulnerability source.
Ongoing coverage of React2Shell
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| undici | npm | >= 4.5.0, < 5.28.5 | 5.28.5 |
| undici | npm | >= 6.0.0, < 6.21.1 | 6.21.1 |
| undici | npm | >= 7.0.0, < 7.2.3 | 7.2.3 |