7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-25892

GHSA ID

GHSA-9cv5-4wqv-9w94

EPSS Score

0.37944%

CWE

CWE-690

Published

11/1/2022

Updated

1/31/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-25892

CVE-2022-25892:
muhammara and hummus vulnerable to denial of service by NULL pointer dereference

Impact

The package muhammara before 2.6.1, from 3.0.0 and before 3.1.1; all versions of package hummus are vulnerable to Denial of Service (DoS) when supplied with a maliciously crafted PDF file to be parsed.

Patches

It has been patched in 3.1.1 and has been backported to 2.6.1 Hummus has a patch in 1.0.111.

Workarounds

Do not process files from untrusted sources or update.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-25892 https://github.com/galkahana/HummusJS/issues/463 https://github.com/julianhille/MuhammaraJS/issues/214 https://github.com/julianhille/MuhammaraJS/commit/1890fb555eaf171db79b73fdc3ea543bbd63c002 https://github.com/julianhille/MuhammaraJS/commit/90b278d09f16062d93a4160ef0a54d449d739c51 https://security.snyk.io/vuln/SNYK-JS-HUMMUS-3091138 https://security.snyk.io/vuln/SNYK-JS-MUHAMMARA-3060320

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-25892

GHSA ID

GHSA-9cv5-4wqv-9w94

EPSS Score

0.37944%

CWE

CWE-690

Published

11/1/2022

Updated

1/31/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
muhammara	npm	< 2.6.1	2.6.1
muhammara	npm	>= 3.0.0, < 3.1.1	3.1.1
hummus	npm	< 1.0.111	1.0.111

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from a missing NULL check in PDFParser::ParseLastXrefPosition. The patch adds a critical null check after calling mObjectParser.ParseNewObject(), confirming that prior versions would dereference a null pointer when parsing truncated PDF files. The test case added in the commit (BrokenPdfBadHeader.txt) triggers this code path, and the CWE-690 classification directly maps to this unchecked return value scenario.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** p**k*** mu**mm*r* ***or* *.*.*, *rom *.*.* *n* ***or* *.*.*; *ll v*rsions o* p**k*** *ummus *r* vuln*r**l* to **ni*l o* S*rvi** (*oS) w**n suppli** wit* * m*li*iously *r**t** P** *il* to ** p*rs**. ### P*t***s It **s ***n p*t**** in *

Reasoning

T** vuln*r**ility st*ms *rom * missin* NULL ****k in `P**P*rs*r::P*rs*L*stXr**Position`. T** p*t** ***s * *riti**l null ****k **t*r **llin* `mO*j**tP*rs*r.P*rs*N*wO*j**t()`, *on*irmin* t**t prior v*rsions woul* **r***r*n** * null point*r w**n p*rsin*

7.5

Basic Information

Concerned about an active attack path?

CVE-2022-25892: muhammara and hummus vulnerable to denial of service by NULL pointer dereference

Impact

Patches

Workarounds

References

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-25892:
muhammara and hummus vulnerable to denial of service by NULL pointer dereference

Vulnerability Intelligence
Miggo AI