GHSA-2r7v-cmch-5x26: muhammara and hummus vulnerable to Unchecked Return Value to NULL Pointer Dereference

muhammara and hummus vulnerable to Unchecked Return Value to NULL Pointer Dereference

High severity GitHub Reviewed Published Dec 5, 2022 in julianhille/MuhammaraJS • Updated Dec 5, 2022

Package

npm hummus (npm)

Affected versions

< 2.6.2

Patched versions

None

npm muhammara (npm)

>= 3.0.0, < 3.4.0

< 2.6.2

3.4.0

2.6.2

Description

Impact

The package muhammara before 2.6.2, from 3.0.0 and before 3.3.0; all versions of package hummus are vulnerable to Denial of Service (DoS) when supplied with a maliciously crafted PDF file to be parsed.

Patches

It has been patched in 3.4.0 and has been backported to 2.6.2
There is no patch for hummus, currently

Workarounds

Do not process files from untrusted sources or update.
Replace hummus with muhammara

References

julianhille/MuhammaraJS#235
julianhille/MuhammaraJS#238

References

• GHSA-2r7v-cmch-5x26
• https://nvd.nist.gov/vuln/detail/CVE-2022-41957
• julianhille/MuhammaraJS#235
• julianhille/MuhammaraJS#238

julianhille published the maintainer security advisory

Nov 26, 2022

Severity

High

7.5

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weaknesses

CWE-690

CVE ID

CVE-2022-41957

GHSA ID

GHSA-2r7v-cmch-5x26

Source code

julianhille/MuhammaraJS

Checking history

See something to contribute? Suggest improvements for this vulnerability.