Platform
nodejs
Component
eventsource
Fixed in
2.0.2
2.0.2
2.0.2
CVE-2022-1650 describes an information disclosure vulnerability discovered in the eventsource JavaScript library. This flaw allows sensitive data to be inadvertently exposed due to insufficient sanitization before storage or transfer. The vulnerability affects versions from 0.0.0 up to and including v2.0.2. A fix has been released in version v2.0.2.
The core issue lies in the eventsource library's handling of sensitive information. Attackers could potentially exploit this vulnerability to extract confidential data that is being processed or transmitted by applications utilizing the library. The specific data at risk depends on how the eventsource library is integrated into the application, but could include API keys, authentication tokens, or other sensitive user data. While the direct exploitation path might be complex, the potential for data leakage is significant, particularly in applications handling sensitive information. This vulnerability highlights the importance of proper data sanitization and security best practices in JavaScript libraries.
CVE-2022-1650 was publicly disclosed on May 12, 2022. There is currently no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The vulnerability's complexity suggests that widespread exploitation is unlikely without the release of a readily available PoC.
Exploit Status
EPSS
1.14% (78% percentile)
CVSS Vector
The primary mitigation for CVE-2022-1650 is to immediately upgrade the eventsource library to version v2.0.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter input validation and output encoding within your application to minimize the potential for sensitive data exposure. Review your application's code to identify any instances where data is passed to or from the eventsource library and ensure that appropriate sanitization techniques are applied. There are no specific WAF rules or detection signatures readily available for this vulnerability, so focusing on code review and timely patching is crucial.
Update the eventsource library to version 2.0.2 or higher. This corrects the vulnerability that allows the exposure of sensitive information before it is stored or transferred.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2022-1650 is a HIGH severity information disclosure vulnerability affecting the eventsource library in Node.js applications. It allows sensitive data to be exposed due to improper removal before storage or transfer.
You are affected if your Node.js application uses the eventsource library in versions 0.0.0 through v2.0.2. Check your dependencies with npm list eventsource.
Upgrade the eventsource library to version v2.0.2 or later using npm install eventsource@latest.
There is currently no evidence of active exploitation campaigns targeting CVE-2022-1650, but it's crucial to patch promptly.
Refer to the GitHub repository eventsource/eventsource for details: https://github.com/eventsource/eventsource/issues/118
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.