Undici HTTP Client Boundary Manipulation Vulnerability in Multipart Requests

A vulnerability exists in the Undici HTTP/1.1 client, specifically in versions 4.5.0 prior to 5.28.5, 6.0.0 prior to 6.21.1, and 7.0.0 prior to 7.2.3. The issue arises because Undici uses Math.random() to generate the boundary for multipart/form-data requests. This randomness can be predicted if an attacker knows several generated values. If an application sends multipart requests to an attacker-controlled server, the attacker could exploit this to intercept the boundary values and manipulate the request data sent to backend APIs.

Impact

Exploitation allows an attacker to tamper with requests to backend APIs by adding or overwriting fields in the multipart data, potentially leading to unauthorized actions or data modifications.

Reproduction

The vulnerability can be reproduced by sending a multipart request to an attacker-controlled server while the server extracts and uses the Math.random() generated boundary values. This can be done using an application that sends such requests, like one built with Express.js, targeting a server endpoint that processes the multipart data.

Remediation

Users can upgrade to Undici versions 5.28.5, 6.21.1, or 7.2.3, where this vulnerability has been patched.