CVE-2022-39381 - Muhammara & Hummus Node Modules Denial of Service (DoS) Vulnerability in PDF Appending Process

Introduction: A critical vulnerability has been identified in the Muhammara and Hummus node modules that could lead to a Denial of Service (DoS) attack when handling maliciously crafted PDF files. Muhammara is a Node.js module, with C/C++ bindings, that simplifies PDF modifications for Node.js and Electron-based applications. It is based on, and a replacement for, the Hummus.js package. However, both packages suffer from this vulnerability, which can cause inadvertent system downtime and loss of availability for the affected services.

Details: The vulnerability, dubbed CVE-2022-39381, affects the Muhammara package prior to version 2.6. and all versions of Hummus. The issue arises when a malicious user supplies a specially crafted PDF file, designed to trigger a DoS condition, to be appended to another PDF file. The underlying code handling the PDF appending process fails to properly validate and sanitize the input, leading to a DoS scenario.

Original References

1. CVE-2022-39381
2. Muhammara GitHub Repository
3. Hummus GitHub Repository

Code Snippet showcasing vulnerable appending process

const muhammara = require('muhammara');

// Example of a vulnerable PDF appending process
function appendPDF(sourceFile1, sourceFile2, outputFile) {
  try {
    const pdfWriter = muhammara.createWriterToModify(sourceFile1, {modifiedFilePath: outputFile});
    pdfWriter.appendPDFPagesFromPDF(sourceFile2);
    pdfWriter.end();
  } catch (error) {
    console.error('Error appending PDFs:', error);
  }
}

// Example usage with potentially malicious input
appendPDF('trusted.pdf', 'malicious.pdf', 'output.pdf');

Exploit Details: An attacker could craft a malicious PDF file that, when processed by an affected Muhammara or Hummus-based service, would lead to the target service becoming unresponsive and eventually crashing, resulting in a DoS condition. It should be noted that this vulnerability appears to stem from a lack of proper input validation and sanitization during the PDF appending process.

Mitigation: The Muhammara team has released a patch in version 2.6. that addresses this vulnerability. It is highly recommended that users of Muhammara upgrade their package to version 2.6. or later. However, for users of the non-maintained Hummus package, there is currently no patch available. As a workaround, users are advised not to process files from untrusted sources and to implement additional input validation and sanitization procedures in their services.

In summary, CVE-2022-39381 is a critical security vulnerability affecting the Muhammara and Hummus Node.js libraries that could result in a Denial of Service attack if exploited. To mitigate this issue, users should upgrade to the latest version of Muhammara (2.6. or later) or, for Hummus users, consider alternative solutions and refrain from processing files from untrusted sources.

Timeline

Published on: 11/02/2022 15:15:00 UTC
Last modified on: 11/04/2022 02:42:00 UTC