CVE-2022-25906

HIGH

is-http2 - OS Command Injection via isH2 Function

Title source: llm

Description

All versions of the package is-http2 are vulnerable to Command Injection due to missing input sanitization or other checks, and sandboxes being employed to the isH2 function.

References (2)

Core 2

Core References

Broken Link

https://github.com/stefanjudis/is-http2/blob/master/index.js%23L23

Exploit, Third Party Advisory

https://security.snyk.io/vuln/SNYK-JS-ISHTTP2-3153878

Scores

CVSS v3 7.4

EPSS 0.0036

EPSS Percentile 58.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (2)

is-http2_project/is-http2

npm/is-http2 0npm

Published Feb 01, 2023

Tracked Since Feb 18, 2026