CVE-2025-22150 – Undici Uses Insufficiently Random Values

https://notcve.org/view.php?id=CVE-2025-22150

21 Jan 2025 — Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the... • https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f • CWE-330: Use of Insufficiently Random Values •