How severe is CVE-2025-22150?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.8 out of 10.

What type of vulnerability is CVE-2025-22150?

This is classified as CWE-330, which is a common weakness in software security.

CVE-2025-22150

MEDIUM Year: 2025

CVSS v3 Score

6.8

Medium

Weakness Type

CWE-330

View all →

Vulnerability Description

Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.

CVE-2017-13077

MEDIUM

CVSS:6.8(Medium)

Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Pairwise Transient Key (PTK) Temporal Key (TK) during the four-way handshake, allowing an attacker within radio range to replay, decr...

CWE-3302017

CVE-2008-5162

HIGH

CVSS:7.0(High)

The arc4random function in the kernel in FreeBSD 6.3 through 7.1 does not have a proper entropy source for a short time period immediately after boot, which makes it easier for attackers to predict th...

CWE-3302008

CVE-2017-17910

MEDIUM

CVSS:6.5(Medium)

On Hoermann BiSecur devices before 2018, a vulnerability can be exploited by recording a single radio transmission. An attacker can intercept an arbitrary radio frame exchanged between a BiSecur trans...

CWE-3302017

CVE-2018-1279

MEDIUM

CVSS:6.5(Medium)

Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain informat...

CWE-3302018

CVE-2018-18425

MEDIUM

CVSS:6.5(Medium)

The doAirdrop function of a smart contract implementation for Primeo (PEO), an Ethereum token, does not check the numerical relationship between the amount of the air drop and the token's total supply...

CWE-3302018

CVE-2018-19983

MEDIUM

CVSS:6.5(Medium)

An issue was discovered on Sigma Design Z-Wave S0 through S2 devices. An attacker first prepares a Z-Wave frame-transmission program (e.g., Z-Wave PC Controller, OpenZWave, CC1110, etc.). Next, the at...

CWE-3302018

CVE-2025-22150

Vulnerability Description

Related Vulnerabilities

CVE-2017-13077

CVE-2008-5162

CVE-2017-17910

CVE-2018-1279

CVE-2018-18425

CVE-2018-19983