Miggo Logo
Miggo Vulnerability Database
CVE-2022-25906

CVE-2022-25906: is-http2 vulnerable to Improper Input Validation

7.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-25906
GHSA ID
GHSA-2275-rpf5-xv8h
EPSS Score
0.27687%
CWE
CWE-20
Published
2/1/2023
Updated
8/8/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
is-http2npm<= 1.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the isH2 function's use of exec() with unvalidated user inputs:

  1. The 'openssl' parameter from options is directly interpolated into shell commands without sanitization
  2. The URL parameter is used in command construction after minimal formatting checks
  3. The PoC demonstrates injection via the openssl parameter (e.g., {openssl: "touch JHU"})
  4. The code shows clear command string concatenation (lines 23-78) without proper escaping or sandboxing
  5. CWE-78 (OS Command Injection) is explicitly referenced in the advisory

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll v*rsions o* t** p**k*** is-*ttp* *r* vuln*r**l* to *omm*n* Inj**tion *u* to missin* input s*nitiz*tion or ot**r ****ks, *n* s*n**ox*s **in* *mploy** to t** is** *un*tion.

Reasoning

T** vuln*r**ility st*ms *rom t** is** *un*tion's us* o* *x**() wit* unv*li**t** us*r inputs: *. T** 'op*nssl' p*r*m*t*r *rom options is *ir**tly int*rpol*t** into s**ll *omm*n*s wit*out s*nitiz*tion *. T** URL p*r*m*t*r is us** in *omm*n* *onstru*tio