Main Vulnerability Database Vulnerabilities #VU72750

Inefficient Algorithmic Complexity in http-cache-semantics - CVE-2022-25881

Published: March 3, 2023

Vulnerability identifier: #VU72750

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2022-25881

CWE-ID: CWE-407

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: kornelski

Affected software:
http-cache-semantics

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to regular expression denial of service that occurs when the server reads the cache policy from the request using this library. A remote unauthenticated attacker can send malicious request header values to the server and perform a denial of service attack.

How to mitigate CVE-2022-25881

Install updates from vendor's website.

Sources

https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783
https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332

Inefficient Algorithmic Complexity in http-cache-semantics - CVE-2022-25881

Detailed vulnerability description

How to mitigate CVE-2022-25881

Sources

Please verify you're human