VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-pah5-gspe-hbbh

Essentials
Severities (37)
References (27)
Severity details (29)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-pah5-gspe-hbbh
Aliases	CVE-2025-22150 GHSA-c76h-2ccp-4975
Summary	Use of Insufficiently Random Values in undici ### Impact [Undici `fetch()` uses Math.random()](https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113) to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, An attacker can tamper with the requests going to the backend APIs if certain conditions are met. ### Patches This is fixed in 5.28.5; 6.21.1; 7.2.3. ### Workarounds Do not issue multipart requests to attacker controlled servers. ### References * https://hackerone.com/reports/2913312 * https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-330	Use of Insufficiently Random Values
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	6.8	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-22150.json
epss	0.00605	https://api.first.org/data/v1/epss?cve=CVE-2025-22150
epss	0.00605	https://api.first.org/data/v1/epss?cve=CVE-2025-22150
epss	0.00605	https://api.first.org/data/v1/epss?cve=CVE-2025-22150
epss	0.00605	https://api.first.org/data/v1/epss?cve=CVE-2025-22150
epss	0.00605	https://api.first.org/data/v1/epss?cve=CVE-2025-22150
epss	0.00605	https://api.first.org/data/v1/epss?cve=CVE-2025-22150
epss	0.00605	https://api.first.org/data/v1/epss?cve=CVE-2025-22150
epss	0.00605	https://api.first.org/data/v1/epss?cve=CVE-2025-22150
cvssv3.1	6.8	https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f
generic_textual	MODERATE	https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f
ssvc	Track*	https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f
cvssv3.1	6.8	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-c76h-2ccp-4975
cvssv3.1	6.8	https://github.com/nodejs/undici
generic_textual	MODERATE	https://github.com/nodejs/undici
cvssv3.1	6.8	https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113
generic_textual	MODERATE	https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113
ssvc	Track*	https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113
cvssv3.1	6.8	https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0
generic_textual	MODERATE	https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0
ssvc	Track*	https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0
cvssv3.1	6.8	https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a
generic_textual	MODERATE	https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a
ssvc	Track*	https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a
cvssv3.1	6.8	https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385
generic_textual	MODERATE	https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385
ssvc	Track*	https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385
cvssv3.1	6.8	https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975
cvssv3.1_qr	MODERATE	https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975
generic_textual	MODERATE	https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975
ssvc	Track*	https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975
cvssv3.1	6.8	https://hackerone.com/reports/2913312
generic_textual	MODERATE	https://hackerone.com/reports/2913312
ssvc	Track*	https://hackerone.com/reports/2913312
cvssv3.1	6.8	https://nvd.nist.gov/vuln/detail/CVE-2025-22150
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2025-22150

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-22150.json
		https://api.first.org/data/v1/epss?cve=CVE-2025-22150
		https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/nodejs/undici
		https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113
		https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0
		https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a
		https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385
		https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975
		https://hackerone.com/reports/2913312
		https://nvd.nist.gov/vuln/detail/CVE-2025-22150
2339176		https://bugzilla.redhat.com/show_bug.cgi?id=2339176
GHSA-c76h-2ccp-4975		https://github.com/advisories/GHSA-c76h-2ccp-4975
RHSA-2025:1351		https://access.redhat.com/errata/RHSA-2025:1351
RHSA-2025:1443		https://access.redhat.com/errata/RHSA-2025:1443
RHSA-2025:1446		https://access.redhat.com/errata/RHSA-2025:1446
RHSA-2025:1454		https://access.redhat.com/errata/RHSA-2025:1454
RHSA-2025:1582		https://access.redhat.com/errata/RHSA-2025:1582
RHSA-2025:1611		https://access.redhat.com/errata/RHSA-2025:1611
RHSA-2025:1613		https://access.redhat.com/errata/RHSA-2025:1613
RHSA-2025:17145		https://access.redhat.com/errata/RHSA-2025:17145
RHSA-2025:1931		https://access.redhat.com/errata/RHSA-2025:1931
RHSA-2025:2588		https://access.redhat.com/errata/RHSA-2025:2588
RHSA-2025:3368		https://access.redhat.com/errata/RHSA-2025:3368
RHSA-2025:3374		https://access.redhat.com/errata/RHSA-2025:3374
RHSA-2025:3397		https://access.redhat.com/errata/RHSA-2025:3397

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-22150.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-21T18:34:22Z/ Found at https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/nodejs/undici

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-21T18:34:22Z/ Found at https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-21T18:34:22Z/ Found at https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-21T18:34:22Z/ Found at https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-21T18:34:22Z/ Found at https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-21T18:34:22Z/ Found at https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://hackerone.com/reports/2913312

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-21T18:34:22Z/ Found at https://hackerone.com/reports/2913312

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-22150

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.69543
EPSS Score	0.00605
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:55:23.835993+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-c76h-2ccp-4975/GHSA-c76h-2ccp-4975.json	38.0.0