AIKIDO-2025-10024
undici is vulnerable to Use of Insufficiently Random Values
64
Medium Risk
This Affects:
undiciTL;DR
Affected versions of the undici library are vulnerable because they use insufficiently random values generated by Math.random() when encoding form-data in the body. Since Math.random() produces low-entropy and predictable values, attackers could potentially exploit this flaw to manipulate or alter data by predicting the encoded values. This vulnerability compromises the integrity of form-data, potentially leading to unauthorized data manipulation or injection attacks.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
undici is vulnerable to Use of Insufficiently Random Values in versions 4.4.0 - 5.28.4, 6.0.0 - 6.21.0 and 7.0.0 - 7.2.2.
How to fix this
Upgrade the undici library to the patch version.
Links
GitHub Release
Fix Commits
github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934agithub.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385Other
blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7fgithub.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113hackerone.com/reports/2913312
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant