Vulnerabilities affecting this package (0)
| Vulnerability |
Summary |
Fixed by |
|
This package is not known to be affected by vulnerabilities.
|
Vulnerabilities fixed by this package (4)
| Vulnerability |
Summary |
Aliases |
|
VCID-pah5-gspe-hbbh
|
Use of Insufficiently Random Values in undici
### Impact
[Undici `fetch()` uses Math.random()](https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113) to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known.
If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, An attacker can tamper with the requests going to the backend APIs if certain conditions are met.
### Patches
This is fixed in 5.28.5; 6.21.1; 7.2.3.
### Workarounds
Do not issue multipart requests to attacker controlled servers.
### References
* https://hackerone.com/reports/2913312
* https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f
|
CVE-2025-22150
GHSA-c76h-2ccp-4975
|
|
VCID-pd4q-4b15-gqey
|
A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory.
On Windows, a path that does not start with the file separator is treated as relative to the current directory.
This vulnerability affects Windows users of `path.join` API.
|
CVE-2025-23084
|
|
VCID-wf5t-3pwz-c7d7
|
Multiple vulnerabilities have been discovered in Node.js, the worst of which can lead to arbitrary code execution.
|
CVE-2025-23085
|
|
VCID-ydzj-e97m-k3cp
|
Multiple vulnerabilities have been discovered in Node.js, the worst of which can lead to arbitrary code execution.
|
CVE-2025-23083
|