Miggo Logo

CVE-2022-25892: muhammara and hummus vulnerable to denial of service by NULL pointer dereference

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.37944%
Published
11/1/2022
Updated
1/31/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
muhammaranpm< 2.6.12.6.1
muhammaranpm>= 3.0.0, < 3.1.13.1.1
hummusnpm< 1.0.1111.0.111

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from a missing NULL check in PDFParser::ParseLastXrefPosition. The patch adds a critical null check after calling mObjectParser.ParseNewObject(), confirming that prior versions would dereference a null pointer when parsing truncated PDF files. The test case added in the commit (BrokenPdfBadHeader.txt) triggers this code path, and the CWE-690 classification directly maps to this unchecked return value scenario.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** p**k*** mu**mm*r* ***or* *.*.*, *rom *.*.* *n* ***or* *.*.*; *ll v*rsions o* p**k*** *ummus *r* vuln*r**l* to **ni*l o* S*rvi** (*oS) w**n suppli** wit* * m*li*iously *r**t** P** *il* to ** p*rs**. ### P*t***s It **s ***n p*t**** in *

Reasoning

T** vuln*r**ility st*ms *rom * missin* NULL ****k in `P**P*rs*r::P*rs*L*stXr**Position`. T** p*t** ***s * *riti**l null ****k **t*r **llin* `mO*j**tP*rs*r.P*rs*N*wO*j**t()`, *on*irmin* t**t prior v*rsions woul* **r***r*n** * null point*r w**n p*rsin*