diff --git a/SPECS/nodejs/CVE-2025-22150.patch b/SPECS/nodejs/CVE-2025-22150.patch
new file mode 100644
index 00000000000..70745dfb614
--- /dev/null
+++ b/SPECS/nodejs/CVE-2025-22150.patch
@@ -0,0 +1,40 @@
+From d059d899b9c92a1479432016fe48a01d9254d89a Mon Sep 17 00:00:00 2001
+From: Kanishk Bansal <kbkanishk975@gmail.com>
+Date: Wed, 5 Feb 2025 12:28:55 +0000
+Subject: [PATCH] Address CVE-2025-22150
+
+---
+ deps/undici/src/lib/fetch/body.js | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/deps/undici/src/lib/fetch/body.js b/deps/undici/src/lib/fetch/body.js
+index fd8481b7..4afcfdfb 100644
+--- a/deps/undici/src/lib/fetch/body.js
++++ b/deps/undici/src/lib/fetch/body.js
+@@ -22,6 +22,14 @@ const { isUint8Array, isArrayBuffer } = require('util/types')
+ const { File: UndiciFile } = require('./file')
+ const { parseMIMEType, serializeAMimeType } = require('./dataURL')
+ 
++let random
++try {
++  const crypto = require('node:crypto')
++  random = (max) => crypto.randomInt(0, max)
++} catch {
++  random = (max) => Math.floor(Math.random(max))
++}
++
+ let ReadableStream = globalThis.ReadableStream
+ 
+ /** @type {globalThis['File']} */
+@@ -107,7 +115,7 @@ function extractBody (object, keepalive = false) {
+     // Set source to a copy of the bytes held by object.
+     source = new Uint8Array(object.buffer.slice(object.byteOffset, object.byteOffset + object.byteLength))
+   } else if (util.isFormDataLike(object)) {
+-    const boundary = `----formdata-undici-0${`${Math.floor(Math.random() * 1e11)}`.padStart(11, '0')}`
++    const boundary = `----formdata-undici-0${`${random(1e11)}`.padStart(11, '0')}`
+     const prefix = `--${boundary}\r\nContent-Disposition: form-data`
+ 
+     /*! formdata-polyfill. MIT License. Jimmy Wärting <https://jimmy.warting.se/opensource> */
+-- 
+2.43.0
+
diff --git a/SPECS/nodejs/nodejs18.spec b/SPECS/nodejs/nodejs18.spec
index fb9b9f05b02..98ae53ed56e 100644
--- a/SPECS/nodejs/nodejs18.spec
+++ b/SPECS/nodejs/nodejs18.spec
@@ -6,7 +6,7 @@ Name:           nodejs18
 # WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package.
 #           The version of NPM can be found inside the sources under 'deps/npm/package.json'.
 Version:        18.20.3
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        BSD and MIT and Public Domain and NAIST-2003 and Artistic-2.0
 Group:          Applications/System
 Vendor:         Microsoft Corporation
@@ -18,6 +18,7 @@ URL:            https://github.com/nodejs/node
 Source0:        https://nodejs.org/download/release/v%{version}/node-v%{version}.tar.xz
 Patch0:         CVE-2023-21100.patch
 Patch1:         CVE-2024-21538.patch
+Patch2:         CVE-2025-22150.patch
 BuildRequires:  brotli-devel
 BuildRequires:  coreutils >= 8.22
 BuildRequires:  gcc
@@ -118,6 +119,9 @@ make cctest
 %{_datadir}/systemtap/tapset/node.stp
 
 %changelog
+* Wed Feb 05 2025 Kanishk Bansal <kanbansal@microsoft.com> - 18.20.3-3
+- Patch CVE-2025-22150
+
 * Tue Nov 19 2024 Bala <balakumaran.kannan@microsoft.com> - 18.20.3-2
 - Patch CVE-2024-21538