Description
Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.
References (7)
Core 7
Core References
Vendor Advisory x_refsource_confirm
https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975
Patch x_refsource_misc
https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0
Patch x_refsource_misc
https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a
Patch x_refsource_misc
https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385
Third Party Advisory x_refsource_misc
https://hackerone.com/reports/2913312
Various Sources x_refsource_misc
https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f
Various Sources x_refsource_misc
https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113
Scores
CVSS v3
6.8
EPSS
0.0070
EPSS Percentile
48.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-330
Status
published
Products (4)
nodejs/undici
>= 4.5.0, < 5.28.5
nodejs/undici
>= 6.0.0, < 6.21.1
nodejs/undici
>= 7.0.0, < 7.2.3
npm/undici
4.5.0 - 5.28.5npm
Published
Jan 21, 2025
Tracked Since
Feb 18, 2026