CVE-2022-41957: Denial of Service (DoS) Vulnerability in Muhammara and Hummus Node Modules

Muhammara is a popular node module that allows developers to easily modify and interact with PDF files using JavaScript for node or electron applications. It features robust C/C++ bindings and native performance, making it a go-to choice for many developers.

Recently, a critical security vulnerability has been discovered in muhammara (versions prior to 2.6.2 and between 3.. and 3.3.), as well as in all versions of its predecessor package, hummus. This vulnerability, identified as CVE-2022-41957, allows an attacker to orchestrate a Denial of Service (DoS) attack by providing a maliciously crafted PDF file to be parsed.

Exploit Details

The vulnerability lies in the way muhammara and hummus process certain types of malformed PDF files. When provided with a maliciously crafted PDF file, the packages may enter into an infinite loop, consuming excessive system resources and eventually leading to a crash or a complete system unresponsiveness. This type of attack is particularly concerning, as it can be exploited remotely by any unauthenticated user with the ability to submit a PDF file to an affected application.

Code Snippet (example use of muhammara)

const muhammara = require('muhammara');

const fileName = "input.pdf";
const outputFileName = "output.pdf";

const pdfWriter = muhammara.createWriter(outputFileName, {
  version: muhammara.PDFVersion17
});

const pdfReader = muhammara.createReader(fileName);

pdfWriter.appendPDFPagesFromPDF(pdfReader);
pdfWriter.end();

Mitigation

The issue has been patched in muhammara version 3.4. and the fix has been backported to version 2.6.2. To protect your application from this vulnerability, it is recommended to update the muhammara package to one of the patched versions:

npm install muhammara@latest

or

npm install muhammara@2.6.2

As a temporary workaround, you can also avoid processing files from untrusted sources or implement additional security checks on the input files.

If you are using the hummus package, it is recommended to replace it with the muhammara package, as hummus is no longer actively maintained and is affected by this vulnerability in all its versions.

Original References & Additional Resources

- NPM Advisory: Denial of Service in muhammara
- GitHub Security Advisory: Denial of Service in muhammara
- Muhammara Repository on GitHub

Conclusion

The CVE-2022-41957 vulnerability poses a significant risk to applications and services relying on the muhammara or hummus node modules. To reduce the impact of this vulnerability, developers are encouraged to promptly update their packages to the fixed versions and replace hummus with muhammara as necessary. When processing PDF files, always consider the potential risks involved and implement necessary security controls, especially when dealing with files from untrusted sources.

Timeline

Published on: 11/28/2022 15:15:00 UTC
Last modified on: 12/01/2022 20:37:00 UTC