CVE-2022-25885 - How a Nasty Bug in `muhammara` and `hummus` Could Crash Your Node.js App

If you handle PDF files in Node.js, chances are you’ve used popular packages like muhammara or hummus. These libraries make it easy to create and manipulate PDFs on the fly. But if you’re using versions before muhammara@2.6. or any version of hummus, pay attention: you’re open to a Denial of Service (DoS) attack, tracked as CVE-2022-25885.

What’s the Problem?

The root of the problem is the function PDFStreamForResponse() in both projects. If this function receives invalid data — which can be as simple as a malformed PDF or unexpected input — it can cause your app to hang or crash. This is a classic Denial of Service (DoS): a bad guy can send you naughty data, and your server might just give up.

Let’s say you have basic PDF handling code

const hummus = require('hummus'); // or 'muhammara'

function sendPdf(req, res) {
  const writer = hummus.createWriter(new hummus.PDFStreamForResponse(res));
  writer.createPage(, , 595, 842); // typical A4 page
  writer.end();
  res.end();
}

So far, so good. But what happens if you — or an attacker — send invalid data to PDFStreamForResponse?

Bad things. In affected versions, invalid input can trigger infinite loops or unhandled exceptions inside the C++ core of these packages. That means memory leaks, stuck processes, sky-high CPU usage, or even your entire server going down.

What’s Causing This?

The underlying issue is improper input validation. PDFStreamForResponse() doesn’t check if the data is actually a valid PDF. So, when garbage comes in, the library’s engine gets confused and can’t recover gracefully.

Sample Exploit

Here’s a simple, practical exploit. An attacker might send your API a request something like this (pseudocode):

const net = require('net');
const client = new net.Socket();

client.connect(300, 'your-server-ip', () => {
  // Send obviously bad PDF data
  client.write('not-a-pdf');
  client.end();
});

If your server code doesn’t check input

// Vulnerable code -- do not use in production!
app.post('/uploadpdf', (req, res) => {
  const stream = new hummus.PDFStreamForResponse(res);

  // Pass request body directly
  req.pipe(stream);
});

This will crash or hang your server if req contains junk.

How to Fix It

The muhammara authors patched this in 2.6.. Hummus is no longer maintained at all, and remains vulnerable.

Update muhammara ASAP

npm install muhammara@latest

And seriously consider replacing hummus with a modern alternative, since it’s no longer supported.

References

- CVE-2022-25885 NVD entry
- GitHub issue: muhammara vulnerability
- muhammara npm advisory
- hummus npm page

Final Thoughts

Software moves fast, and security holes pop up all the time. CVE-2022-25885 shows how a single unchecked function can bring reliable services to their knees. Don’t wait for your first real-world crash: patch and validate today.

If you liked this rundown, save it and keep your Node.js stack secure!

Timeline

Published on: 11/01/2022 05:15:00 UTC
Last modified on: 11/01/2022 19:20:00 UTC