[CLSA-2026:1777630655] Fix CVE(s): CVE-2025-22150

Type:

security

Severity:

Moderate

Release date:

2026-05-01 10:17:40 UTC

Description:

   * SECURITY UPDATE: undici predictable multipart/form-data boundary
     - debian/patches/CVE-2025-22150.patch: replace Math.random() with
       crypto.randomInt() for the boundary string in bundled undici
       (deps/undici/src/lib/fetch/body.js). Math.random() output is
       predictable from a few sampled values, allowing attackers who can
       observe multipart requests to attacker-controlled servers to tamper
       with subsequent requests to backend APIs.
     - CVE-2025-22150

Updated packages:

alt-nodejs16-docs_16.20.2-16_amd64.deb
sha:1a5fbf07bf1ad8590e5c44d8ee28086d7edd147c
alt-nodejs16-nodejs_16.20.2-16_amd64.deb
sha:d6e8bf28136d8c3cc749af5ca5f227e82d43d7db
alt-nodejs16-nodejs-devel_16.20.2-16_amd64.deb
sha:5085fe195a9419a5c80e19c066682237e7f61690
alt-nodejs16-npm_8.19.4-16.20.2-16_amd64.deb
sha:23cdc50a274960a0bfa61cbe5c4f2d50f6dd8806

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.