CVE-2022-39381 - Exploit Details and Analysis of the Muhammara and Hummusjs PDF DoS Vulnerability

Table of Contents

Overview

If your Node.js application uses the muhammara or hummusjs packages to work with PDF files, you should pay attention to CVE-2022-39381. This vulnerability enables attackers to crash your app or service by sending a malicious PDF file. Below, you’ll find a deep-dive explanation, sample code, and guidance on fixing or avoiding this issue.

What Is Muhammara?

Muhammara is a Node.js library with C/C++ bindings. It’s used to read, create, and modify PDF files, both in server environments and Electron apps. It was designed to be a modern, maintained replacement for hummusjs (galkhana/hummus), which is not being actively updated.

About Hummusjs

Hummusjs is the predecessor to Muhammara. It fulfilled a similar purpose by letting developers work with PDFs in Node.js, but it has several unresolved vulnerabilities, including CVE-2022-39381.

Understanding CVE-2022-39381

CVE-2022-39381 is a Denial of Service (DoS) vulnerability in both muhammara (before v2.6.) and hummusjs (all versions). If your app tries to append a maliciously crafted PDF file to another using either library, the process can get stuck, consume all memory, or crash entirely. This behavior can cause your service to become unresponsive or crash, which is a typical DoS attack.

The root cause is in how these libraries handle malformed PDFs, especially during the append/merge process.

How the Exploit Works

A malicious user crafts a PDF file with corrupted or non-standard structures (e.g., broken object references or incorrect cross-reference tables). When the vulnerable library attempts to append or merge the malicious file to another PDF, it can enter an infinite loop or trigger an unhandled error, eating up CPU and memory.

Because these libraries are often used in web backends, passing user-uploaded PDFs for processing without verification could allow remote attackers to bring down your service via a simple file upload.

Sample Exploit Code

Here’s a simple code example showing how an app might be vulnerable, with and without the patch.

IMPORTANT: Do *not* run this code on production systems. For educational purposes only.

// vulnerable-app.js (using muhammara <2.6. or any hummusjs)
const hummus = require('hummus'); // or 'muhammara'

function appendPDF(input1, input2, output) {
  try {
    const pdfWriter = hummus.createWriterToModify(input1, {modifiedFilePath: output});
    pdfWriter.appendPDFPagesFromPDF(input2);
    pdfWriter.end();
    console.log('Successfully appended PDF!');
  } catch (e) {
    // In vulnerable versions, catching errors may not help: your process may hang/crash!
    console.error('Failed to process:', e);
  }
}

// attacker-pdf.pdf is a malicious PDF file designed to cause DoS
appendPDF('innocent.pdf', 'attacker-pdf.pdf', 'output.pdf');

How the attacker creates the malicious file:
This part is typically done using tools for intentionally corrupting PDFs, e.g., by editing cross-reference tables or inserting infinite object loops. One commonly referenced tool for PDF fuzzing is PDF Fuzzing Tools List.

You can see an example of a corrupted xref table in a PDF file here

xref
 2
000000000 65535 f 
000000001 00000 n
trailer
<< /Size 2 /Root 1  R >>
startxref
9999  % <-- This points to a totally invalid offset!
%%EOF

When this file is appended using the vulnerable code above, the process could hang or crash.

Upgrade to muhammara@2.6. or above, where this issue is patched.

npm install muhammara@latest

No patch is available.

Recommendation: Switch to muhammara, which is maintained and patched for this and other issues.

npm uninstall hummus
npm install muhammara

Don’t process files from untrusted sources!

If you must process user-uploaded files, use external PDF validation tools (such as qpdf with --check) before passing them into your node process. This helps filter out malformed or dangerous PDFs.

Security Advisory:

- GitHub: Muhammara Security Advisory GHSA-55rq-xr6j-qvw5
 - NPM Advisory 1987: Denial of Service in hummus and muhammara

CVE Record:

- CVE-2022-39381 on CVE.org

Muhammara NPM Package:

- https://www.npmjs.com/package/muhammara

Hummusjs NPM Package:

- https://www.npmjs.com/package/hummus

PDF Fuzzing Example Tools:

- PDF Fuzzing Tools List

QPDF Validation Tool:

- qpdf


In Summary:  
If your app processes PDFs with muhammara or hummusjs, update to muhammara 2.6. or better. If you can’t update, never trust user-provided PDFs, and always validate them first. This small change could keep your service from being taken offline by a single bad file.

Timeline

Published on: 11/02/2022 15:15:00 UTC
Last modified on: 11/04/2022 02:42:00 UTC