CVE CyberSecurity Database News

CVE-2022-41957 - Denial of Service in Muhammara and Hummus Node Modules for PDF Processing

Poster -

If you’re working with PDFs in Node.js or Electron, you might have used either Muhammara or its older predecessor, Hummus. These packages let you programmatically create or modify PDFs, thanks to their C/C++ bindings under the hood. But if your project depends on these modules and processes PDFs from users or external sources, you need to be aware of a critical security issue: CVE-2022-41957.

This vulnerability can allow attackers to break your application by sending a specially crafted PDF file that makes your server unresponsive—a *Denial of Service (DoS)* attack.

Below, we’ll walk through the details, including example code, the affected versions, the fix, how to protect yourself, and links to the official advisories.

Issue:

- A carefully crafted PDF can trigger an infinite loop or crash, making the server hang or even consume all available memory (DoS).

Technical Details

Inside Muhammara (and previously Hummus), the core PDF parsing and writing work happens in C++, exposed to Node.js by bindings. When certain non-standard or malformed PDFs are loaded, the validation logic could loop forever or crash. This could exhaust system resources on your server or Electron backend—meaning an attacker could take your service offline just by uploading or submitting a weird PDF.

Why does this happen?

PDF format is very flexible. Attackers can exploit edge cases or undefined states in the parser’s logic, especially in C/C++ code that isn’t covered by comprehensive error checks.

Suppose you use Muhammara to read, modify, or merge PDF files. Here’s a typical usage snippet

const hummus = require('hummus');
const fs = require('fs');

function mergeDocument(inputPDFPath, outputPDFPath) {
  const pdfWriter = hummus.createWriterToModify(inputPDFPath, {
    modifiedFilePath: outputPDFPath,
  });
  pdfWriter.end();
}

// This call is risky if inputPDFPath is a user-supplied PDF
mergeDocument('user-uploaded.pdf', 'output.pdf');

If user-uploaded.pdf is a malicious PDF crafted to exploit this bug, your entire server process could become unresponsive or crash while running createWriterToModify(). This can be triggered with a single HTTP request if your service offers PDF upload functionality.

Exploit Details

- Attack vector: Malicious PDF file provided to any code path that calls Muhammara or Hummus’s createWriterToModify(), createReader(), or similar functions.
- Impact: Your Node.js or Electron process hangs, crashes, or gets killed by the OS due to high memory or CPU usage.
- No need for authentication: Anyone who can upload or submit a PDF can exploit this vulnerability if your app uses these modules with untrusted files.

Official References

- GitHub advisory for Muhammara
- NPM Advisory
- CVE Details page
- Muhammara NPM Package page
- Hummus NPM Package page (deprecated)

`

or

If you want to check if your dependencies are vulnerable, use npm audit, yarn audit, or Snyk

npm audit
# or
npx snyk test

Look for advisories that mention Muhammara or Hummus.

Conclusion

CVE-2022-41957 is a real-world, easy-to-trigger DoS risk for anyone handling user-generated PDFs with Muhammara or Hummus. If your service deals with PDFs in any way, update immediately. Even if you trust your users today, you want to avoid someone bringing down your service in the future.

Recap:

Never process PDFs from unknown sources unless you’re patched.

Stay safe, and always keep an eye on advisories in your dependencies!

Further Reading

- PDF Attacker's Guide
- Node.js Security Best Practices

If you want more details or help with migrating your code, check out the official Muhammara migration guide.

Timeline

Published on: 11/28/2022 15:15:00 UTC
Last modified on: 12/01/2022 20:37:00 UTC