You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The package muhammara before 2.6.1, from 3.0.0 and before 3.1.1; all versions of package hummus are vulnerable to Denial of Service (DoS) when supplied with a maliciously crafted PDF file to be parsed.
Patches
It has been patched in 3.1.1 and has been backported to 2.6.1
There is no patch for hummus
Workarounds
Do not process files from untrusted sources or update.
Replace hummus with muhammara
The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference.
Learn more on MITRE.
Impact
The package muhammara before 2.6.1, from 3.0.0 and before 3.1.1; all versions of package hummus are vulnerable to Denial of Service (DoS) when supplied with a maliciously crafted PDF file to be parsed.
Patches
It has been patched in 3.1.1 and has been backported to 2.6.1
There is no patch for hummus
Workarounds
Do not process files from untrusted sources or update.
Replace hummus with muhammara
References
https://nvd.nist.gov/vuln/detail/CVE-2022-25892
galkahana/HummusJS#463
#214
1890fb5
90b278d
https://security.snyk.io/vuln/SNYK-JS-HUMMUS-3091138
https://security.snyk.io/vuln/SNYK-JS-MUHAMMARA-3060320