CVE-2022-25881

Exploit

EPSS 1.61%
Veröffentlicht 31.01.2023 05:15:11
Zuletzt bearbeitet 27.03.2025 18:17:13
Quelle report@snyk.io
CVE-Watchlists
Login
Unerledigt
Login

http-cache-semantics < 4.1.1 - Regular Expression Denial of Service (ReDoS)

This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

Mögliche Gegenmaßnahme

Simple Local Avatars: Update to version 2.7.4, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Http-cache-semantics Project ≫ Http-cache-semantics SwPlatformnode.js Version < 4.1.1

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Simple Local Avatars

Version *-2.7.3

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.61%	0.728

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
report@snyk.io	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83

Broken Link

https://security.netapp.com/advisory/ntap-20230622-0008/

https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332

Third Party Advisory

Exploit

https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783

Third Party Advisory

Exploit

https://www.wordfence.com/threat-intel/vulnerabilities/id/f6092987-5f60-42ac-9636-e1e0a2c85147

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-25881