Skip to content

Unchecked Return Value to NULL Pointer Dereference in muhammara (and hummus)

High
julianhille published GHSA-2r7v-cmch-5x26 Nov 26, 2022

Package

npm hummus (npm)

Affected versions

*

Patched versions

None
npm muhammara (npm)
< 2.6.2 || >= 3.0.0 < 3.3.0
2.6.2, 3.4.0

Description

Impact

The package muhammara before 2.6.2, from 3.0.0 and before 3.3.0; all versions of package hummus are vulnerable to Denial of Service (DoS) when supplied with a maliciously crafted PDF file to be parsed.

Patches

It has been patched in 3.4.0 and has been backported to 2.6.2
There is no patch for hummus, currently

Workarounds

Do not process files from untrusted sources or update.
Replace hummus with muhammara

References

#235
#238

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID

CVE-2022-41957

Weaknesses