CVE-2025-22150

Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.

This Cyber News was published on www.tenable.com. Publication date: Wed, 22 Jan 2025 22:56:02 +0000


Cyber News related to CVE-2025-22150

CISA Releases 20 ICS Advisories Detailing Vulnerabilities & Exploits - Vulnerabilities in the SIPROTEC 5 series include Cleartext storage of sensitive information (CVE-2024-53651), which has a CVSS v3 base score of 4.6. Mitigation involves firmware updates and restricting network access. This SCADA management software ...
4 days ago Cybersecuritynews.com
CVE-2025-22150 - Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be ...
4 weeks ago Tenable.com
CVE-2022-22150 - A memory corruption vulnerability exists in the JavaScript engine of Foxit Software’s PDF Reader, version 11.1.0.52543. A specially-crafted PDF document can trigger an exception which is improperly handled, leaving the engine in an invalid state, ...
2 years ago
CVE-2020-22150 - A cross site scripting (XSS) vulnerability in /admin.php?pagepermalinks of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML. ...
3 years ago
CVE-2024-22150 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PWR Plugins Portfolio & Image Gallery for WordPress | PowerFolio allows Stored XSS.This issue affects Portfolio & Image Gallery for WordPress | ...
1 year ago Tenable.com
Microsoft fixes bug causing Windows Server 2025 boot errors - In November, Redmond addressed another series of bugs that were triggering install, upgrade, and Blue Screen of Death (BSOD) issues on Windows Server 2025 devices with a high core count, and one month later, a known issue causing boot failures on ...
4 days ago Bleepingcomputer.com
PostgreSQL flaw exploited as zero-day in BeyondTrust breach - Rapid7 security researchers have also identified a method to exploit CVE-2025-1094 for remote code execution in vulnerable BeyondTrust Remote Support (RS) systems independently of the CVE-2024-12356 argument injection vulnerability. Rapid7's tests ...
4 days ago Bleepingcomputer.com
CVE-2025-0925 - Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2025-0818. Reason: This candidate is a reservation duplicate of CVE-2025-0818. Notes: All CVE users should reference CVE-2025-0818 instead of this candidate. All ...
6 days ago Tenable.com
CVE-2025-0919 - Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2025-0818. Reason: This candidate is a reservation duplicate of CVE-2025-0818. Notes: All CVE users should reference CVE-2025-0818 instead of this candidate. All ...
6 days ago Tenable.com
CVE-2025-0977 - Update the openssl crate to version 0.10.70 and the openssl-sys crate to version 0.9.105. ...
1 week ago Tenable.com
Microsoft releases first Windows Server 2025 preview build - Microsoft has released Windows Server Insider Preview 26040, the first Windows Server 2025 build for admins enrolled in its Windows Insider program. This build is the first pushed for the next Windows Server Long-Term Servicing Channel Preview, which ...
1 year ago Bleepingcomputer.com
PostgreSQL Terminal Tool Injection Vulnerability Allows Remote Code Execution - Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Attackers can exploit this vulnerability to execute arbitrary SQL statements and achieve arbitrary code execution (ACE) by ...
4 days ago Cybersecuritynews.com
CVE-2025-1091 - Tenable Identity Exposure leverages third-party software to help provide underlying functionality. Several of the third-party components (node.js, Envoy, libcurl) were found to contain vulnerabilities, and updated versions have been made available by ...
1 week ago Tenable.com
CVE-2025-0760 - Tenable Identity Exposure leverages third-party software to help provide underlying functionality. Several of the third-party components (node.js, Envoy, libcurl) were found to contain vulnerabilities, and updated versions have been made available by ...
1 week ago Tenable.com
Chrome use-after-free Vulnerability Let Attackers Execute Code Remotely - Google has rolled out an urgent security update for Chrome, addressing four high-severity vulnerabilities that could allow attackers to execute malicious code or compromise user data. The update, Chrome version 133.0.6943.98/.99 for Windows/Mac and ...
5 days ago Cybersecuritynews.com
WinZip Vulnerability Let Remote Attackers Execute Arbitrary Code - A newly disclosed high-severity vulnerability in WinZip, tracked as CVE-2025-1240, enables remote attackers to execute arbitrary code on affected systems by exploiting malformed 7Z archive files. Security firm Zero Day Initiative (ZDI) detailed the ...
4 days ago Cybersecuritynews.com
OpenSSH Vulnerabilities Expose Clients and Servers to MitM & DoS Attacks - Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With OpenSSH integral to enterprise infrastructure, these vulnerabilities pose significant risks to data integrity, system ...
4 hours ago Cybersecuritynews.com
New OpenSSH flaws expose SSH servers to MiTM and DoS attacks - "The attack against the OpenSSH client (CVE-2025-26465) succeeds regardless of whether the VerifyHostKeyDNS option is set to "yes" or "ask" (its default is "no"), requires no user interaction, and does not depend on the existence of an SSHFP resource ...
2 hours ago Bleepingcomputer.com
CVE-2025-0332 - In Progress® Telerik® UI for WinForms, versions prior to 2025 Q1 (2025.1.211), using the improper limitation of a target path can lead to decompressing an archive's content into a restricted directory. ...
6 days ago Tenable.com
CVE-2025-24897 - Misskey is an open source, federated social media platform. Starting in version 12.109.0 and prior to version 2025.2.0-alpha.0, due to a lack of CSRF protection and the lack of proper security attributes in the authentication cookies of Bull's ...
1 week ago Tenable.com
CVE-2025-24896 - Misskey is an open source, federated social media platform. Starting in version 12.109.0 and prior to version 2025.2.0-alpha.0, a login token named `token` is stored in a cookie for authentication purposes in Bull Dashboard, but this remains ...
1 week ago Tenable.com
CVE-2025-25198 - mailcow: dockerized is an open source groupware/email suite based on docker. Prior to version 2025-01a, a vulnerability in mailcow's password reset functionality allows an attacker to manipulate the `Host HTTP` header to generate a password reset ...
6 days ago Tenable.com
Threat Actors Exploiting DeepSeek's Popularity To Deploy Malware - To safely navigate AI models like DeepSeek while minimizing phishing and malware risks, users should utilize Criminal IP’s IP analysis service to verify server locations and network security. Cyber attackers have been creating phishing websites ...
5 days ago Cybersecuritynews.com
CVE-2021-42718 - Information Disclosure in API in Replicated Replicated Classic versions prior to 2.53.1 on all platforms allows authenticated users with Admin Console access to retrieve sensitive data, including application secrets, via accessing container ...
3 weeks ago Tenable.com
CVE-2024-13162 - SQL injection in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. This CVE addresses incomplete fixes from ...
1 month ago Tenable.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)