[Security] Bump undici from 5.28.4 to 5.28.5

Bumps undici from 5.28.4 to 5.28.5. This update includes a security fix.

Vulnerabilities fixed

Use of Insufficiently Random Values in undici

Impact

Undici fetch() uses Math.random() to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known.

If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, An attacker can tamper with the requests going to the backend APIs if certain conditions are met.

Patches

This is fixed in 5.28.5; 6.21.1; 7.2.3.

Workarounds

Do not issue multipart requests to attacker controlled servers.

References

• https://hackerone.com/reports/2913312
• https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f

Patched versions: 7.2.3; 6.21.1; 5.28.5 Affected versions: >= 7.0.0, = 4.5.0, < 5.28.5

Release notes

Sourced from undici's releases.

v5.28.5

Security Release

Fixes CVE CVE-2025-22150 https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975 (embargoed until 22-01-2025).

Full Changelog: https://github.com/nodejs/undici/compare/v5.28.4...v5.28.5

Commits

• 6139ed2 Bumped v5.28.5
• 711e207 Backport of c2d78cd
• See full diff in compare view

---

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

• $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

added dependencies javascript security labels

added severity:moderate label

merged

mentioned in commit 9a8c8f63