GoogleOSV:GHSA-9CV5-4WQV-9W94muhammara and hummus vulnerable to denial of service by NULL pointer dereference
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
61.3%
Impact
The package muhammara before 2.6.1, from 3.0.0 and before 3.1.1; all versions of package hummus are vulnerable to Denial of Service (DoS) when supplied with a maliciously crafted PDF file to be parsed.
Patches
It has been patched in 3.1.1 and has been backported to 2.6.1
Hummus has a patch in 1.0.111.
Workarounds
Do not process files from untrusted sources or update.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-25892
https://github.com/galkahana/HummusJS/issues/463
https://github.com/julianhille/MuhammaraJS/issues/214
https://github.com/julianhille/MuhammaraJS/commit/1890fb555eaf171db79b73fdc3ea543bbd63c002
https://github.com/julianhille/MuhammaraJS/commit/90b278d09f16062d93a4160ef0a54d449d739c51
https://security.snyk.io/vuln/SNYK-JS-HUMMUS-3091138
https://security.snyk.io/vuln/SNYK-JS-MUHAMMARA-3060320
References
github.com/galkahana/HummusJS/commit/a9bf2520ab5abb69f9328906e406fbebfb36159a
github.com/galkahana/HummusJS/issues/463
github.com/julianhille/MuhammaraJS
github.com/julianhille/MuhammaraJS/commit/1890fb555eaf171db79b73fdc3ea543bbd63c002
github.com/julianhille/MuhammaraJS/commit/90b278d09f16062d93a4160ef0a54d449d739c51
github.com/julianhille/MuhammaraJS/issues/214
github.com/julianhille/MuhammaraJS/security/advisories/GHSA-f64j-4x74-p42m
nvd.nist.gov/vuln/detail/CVE-2022-25892
security.snyk.io/vuln/SNYK-JS-HUMMUS-3091138
security.snyk.io/vuln/SNYK-JS-MUHAMMARA-3060320
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
61.3%