CVE-2025-22150
CVSS 3.1 Score 6.8 of 10 (medium)
Details
Summary
CVE-2025-22150 is a vulnerability affecting the Undici HTTP/1.1 client, specifically versions 4.5.0 and earlier, 5.28.5, 6.21.1, and 7.2.3. The issue lies in the way Undici generates boundaries for multipart/form-data requests, using `Math.random()`. Predictable output from `Math.random()` can be exploited to leak necessary values, enabling attackers to tamper with backend API requests if an application sends multipart requests to attacker-controlled servers. This vulnerability is resolved in versions 5.28.5, 6.21.1, and 7.2.3. As a temporary measure, avoid issuing multipart requests to attacker-controlled servers.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.