Plattform
nodejs
Komponente
decode-uri-component
Behoben in
0.2.1
CVE-2022-38900 identifies a Denial of Service (DoS) vulnerability within the decode-uri-component library, specifically affecting version 0.2.0. The vulnerability stems from improper input validation, allowing an attacker to craft malicious URI components that trigger excessive resource consumption. This can lead to application instability or complete denial of service. A fix addressing this issue has been released in version 0.2.1.
The core impact of CVE-2022-38900 is a Denial of Service (DoS). An attacker can exploit this by providing a specially crafted URI component to the decode-uri-component function. The lack of proper input validation allows this malicious component to trigger an unbounded resource consumption, potentially leading to a crash or making the application unresponsive. The blast radius includes any application or service that utilizes the vulnerable decode-uri-component version, particularly those involved in URL parsing or processing. While data exfiltration is not a direct consequence, the DoS can disrupt service availability and potentially impact data integrity if the application relies on timely processing of URI components.
CVE-2022-38900 was published on November 28, 2022. Its severity is rated as HIGH with a CVSS score of 7.5. There is no indication of this vulnerability being actively exploited in the wild, nor is it currently listed on KEV or EPSS. Public proof-of-concept (POC) code is not widely available, but the vulnerability's nature makes it relatively easy to exploit given sufficient knowledge of URI encoding and decoding.
Exploit-Status
EPSS
0.61% (70% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2022-38900 is to upgrade the decode-uri-component library to version 0.2.1 or later. If an immediate upgrade is not possible, consider implementing input validation to restrict the size and complexity of URI components passed to the decode-uri-component function. This could involve limiting the length of the component or using a whitelist of allowed characters. Web Application Firewalls (WAFs) can be configured to filter out requests containing suspicious URI components. After upgrading, verify the fix by attempting to decode a known malicious URI component and confirming that it no longer triggers excessive resource consumption.
Actualiza la librería decode-uri-component a la versión 0.2.1 o superior para mitigar la vulnerabilidad de denegación de servicio (DoS) causada por una validación de entrada incorrecta. Puedes hacerlo utilizando npm o yarn.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2022-38900 is a vulnerability in the decode-uri-component library that allows an attacker to cause a denial-of-service (DoS) by providing a specially crafted URI component string.
Applications using decode-uri-component version 0.2.0 are affected by this vulnerability.
Upgrade the decode-uri-component library to version 0.2.1 or later to resolve this issue.
Currently, there are no publicly available exploitation reports or proof-of-concept code for CVE-2022-38900.
Refer to the National Vulnerability Database (NVD) entry for CVE-2022-38900 at https://nvd.nist.gov/vuln/detail/CVE-2022-38900
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.