CVE-2022-39381 - Vulnerability Details - OpenCVE

Muhammara is a node module with c/cpp bindings to modify PDF with js for node or electron (based/replacement on/of galkhana/hummusjs). The package muhammara before 2.6.0; all versions of package hummus are vulnerable to Denial of Service (DoS) when supplied with a maliciously crafted PDF file to be appended to another. This issue has been patched in 2.6.0 for muhammara and not at all for hummus. As a workaround, do not process files from untrusted sources.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable yes

Technical Impact partial

Vendors	Products
Muhammarajs Project	Muhammarajs
Pdfhummus	Hummusjs

Configuration 1 [-]

OR	cpe:2.3:a:muhammarajs_project:muhammarajs::::::node.js::*
	cpe:2.3:a:pdfhummus:hummusjs::::::node.js::*

No data.

References

Link	Providers
https://github.com/galkahana/HummusJS/issues/293
https://github.com/julianhille/MuhammaraJS/issues/191
https://github.com/julianhille/MuhammaraJS/pull/194
https://github.com/julianhille/MuhammaraJS/security/advisories/GHSA-rcrx-fpjp-mfrw

History

Tue, 22 Apr 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-11-02T00:00:00.000Z

Updated: 2025-04-22T16:09:05.431Z

Reserved: 2022-09-02T00:00:00.000Z

Link: CVE-2022-39381

Vulnrichment

Updated: 2024-08-03T12:07:41.238Z

NVD

Status : Modified

Published: 2022-11-02T15:15:10.543

Modified: 2024-11-21T07:18:10.657

Link: CVE-2022-39381

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-39381", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2025-04-22T16:09:05.431Z", "dateReserved": "2022-09-02T00:00:00.000Z", "datePublished": "2022-11-02T00:00:00.000Z"}, "containers": {"cna": {"title": "Unchecked Return Value to NULL Pointer Dereference in PDFDocumentHandler.cpp", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-11-02T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "Muhammara is a node module with c/cpp bindings to modify PDF with js for node or electron (based/replacement on/of galkhana/hummusjs). The package muhammara before 2.6.0; all versions of package hummus are vulnerable to Denial of Service (DoS) when supplied with a maliciously crafted PDF file to be appended to another. This issue has been patched in 2.6.0 for muhammara and not at all for hummus. As a workaround, do not process files from untrusted sources."}], "affected": [{"vendor": "julianhille", "product": "MuhammaraJS", "versions": [{"version": "< 2.6.0", "status": "affected"}]}], "references": [{"url": "https://github.com/julianhille/MuhammaraJS/security/advisories/GHSA-rcrx-fpjp-mfrw"}, {"url": "https://github.com/galkahana/HummusJS/issues/293"}, {"url": "https://github.com/julianhille/MuhammaraJS/issues/191"}, {"url": "https://github.com/julianhille/MuhammaraJS/pull/194"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-690: Unchecked Return Value to NULL Pointer Dereference", "cweId": "CWE-690"}]}], "source": {"advisory": "GHSA-rcrx-fpjp-mfrw", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:07:41.238Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/julianhille/MuhammaraJS/security/advisories/GHSA-rcrx-fpjp-mfrw", "tags": ["x_transferred"]}, {"url": "https://github.com/galkahana/HummusJS/issues/293", "tags": ["x_transferred"]}, {"url": "https://github.com/julianhille/MuhammaraJS/issues/191", "tags": ["x_transferred"]}, {"url": "https://github.com/julianhille/MuhammaraJS/pull/194", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-22T15:39:17.642211Z", "id": "CVE-2022-39381", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-22T16:09:05.431Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-39381", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2025-04-22T16:09:05.431Z", "dateReserved": "2022-09-02T00:00:00.000Z", "datePublished": "2022-11-02T00:00:00.000Z"}, "containers": {"cna": {"title": "Unchecked Return Value to NULL Pointer Dereference in PDFDocumentHandler.cpp", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-11-02T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "Muhammara is a node module with c/cpp bindings to modify PDF with js for node or electron (based/replacement on/of galkhana/hummusjs). The package muhammara before 2.6.0; all versions of package hummus are vulnerable to Denial of Service (DoS) when supplied with a maliciously crafted PDF file to be appended to another. This issue has been patched in 2.6.0 for muhammara and not at all for hummus. As a workaround, do not process files from untrusted sources."}], "affected": [{"vendor": "julianhille", "product": "MuhammaraJS", "versions": [{"version": "< 2.6.0", "status": "affected"}]}], "references": [{"url": "https://github.com/julianhille/MuhammaraJS/security/advisories/GHSA-rcrx-fpjp-mfrw"}, {"url": "https://github.com/galkahana/HummusJS/issues/293"}, {"url": "https://github.com/julianhille/MuhammaraJS/issues/191"}, {"url": "https://github.com/julianhille/MuhammaraJS/pull/194"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-690: Unchecked Return Value to NULL Pointer Dereference", "cweId": "CWE-690"}]}], "source": {"advisory": "GHSA-rcrx-fpjp-mfrw", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:07:41.238Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/julianhille/MuhammaraJS/security/advisories/GHSA-rcrx-fpjp-mfrw", "tags": ["x_transferred"]}, {"url": "https://github.com/galkahana/HummusJS/issues/293", "tags": ["x_transferred"]}, {"url": "https://github.com/julianhille/MuhammaraJS/issues/191", "tags": ["x_transferred"]}, {"url": "https://github.com/julianhille/MuhammaraJS/pull/194", "tags": ["x_transferred"]}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-39381", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-22T15:39:17.642211Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-22T15:39:19.326Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:muhammarajs_project:muhammarajs:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "F63EAAE0-D342-4D4B-945E-82FA10CCD315", "versionEndIncluding": "2.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pdfhummus:hummusjs:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "ADCD90A6-1325-4822-85A1-E7196FDFA510", "versionEndExcluding": "1.0.111", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Muhammara is a node module with c/cpp bindings to modify PDF with js for node or electron (based/replacement on/of galkhana/hummusjs). The package muhammara before 2.6.0; all versions of package hummus are vulnerable to Denial of Service (DoS) when supplied with a maliciously crafted PDF file to be appended to another. This issue has been patched in 2.6.0 for muhammara and not at all for hummus. As a workaround, do not process files from untrusted sources."}, {"lang": "es", "value": "Muhammara es un m\u00f3dulo de nodo con enlaces c/cpp para modificar PDF con js para nodo o electr\u00f3n (based/replacement on/of galkhana/hummusjs). El paquete muhammara antes de 2.6.0; Todas las versiones del paquete hummus son vulnerables a la Denegaci\u00f3n de Servicio (DoS) cuando se les suministra un archivo PDF creado con fines malintencionados para adjuntarlo a otro. Este problema se solucion\u00f3 en 2.6.0 para muhammara y no se solucion\u00f3 en absoluto para hummus. Como workaround alternativo, no procese archivos de fuentes que no sean de confianza."}], "id": "CVE-2022-39381", "lastModified": "2024-11-21T07:18:10.657", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-11-02T15:15:10.543", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/galkahana/HummusJS/issues/293"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/julianhille/MuhammaraJS/issues/191"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/julianhille/MuhammaraJS/pull/194"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/julianhille/MuhammaraJS/security/advisories/GHSA-rcrx-fpjp-mfrw"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/galkahana/HummusJS/issues/293"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/julianhille/MuhammaraJS/issues/191"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/julianhille/MuhammaraJS/pull/194"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/julianhille/MuhammaraJS/security/advisories/GHSA-rcrx-fpjp-mfrw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-690"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}