CVE-2022-25892: muhammara and hummus vulnerable to denial of service by NULL pointer dereference
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.37944%
CWE
Published
11/1/2022
Updated
1/31/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
muhammara | npm | < 2.6.1 | 2.6.1 |
muhammara | npm | >= 3.0.0, < 3.1.1 | 3.1.1 |
hummus | npm | < 1.0.111 | 1.0.111 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from a missing NULL check in PDFParser::ParseLastXrefPosition
. The patch adds a critical null check after calling mObjectParser.ParseNewObject()
, confirming that prior versions would dereference a null pointer when parsing truncated PDF files. The test case added in the commit (BrokenPdfBadHeader.txt
) triggers this code path, and the CWE-690 classification directly maps to this unchecked return value scenario.