CVE-2022-41957
HIGHmuhammara < 2.6.2 and 3.0.0-3.3.0 - Denial of Service via Malicious PDF Parsing
Title source: llmDescription
Muhammara is a node module with c/cpp bindings to modify PDF with JavaScript for node or electron. The package muhammara before 2.6.2 and from 3.0.0 and before 3.3.0, as well as all versions of muhammara's predecessor package hummus, are vulnerable to Denial of Service (DoS) when supplied with a maliciously crafted PDF file to be parsed. The issue has been patched in muhammara version 3.4.0 and the fix has been backported to version 2.6.2. As a workaround, do not process files from untrusted sources. If using hummus, replace the package with muhammara.
References (3)
Core 3
Core References
Issue Tracking, Patch, Third Party Advisory
https://github.com/julianhille/MuhammaraJS/pull/235
Issue Tracking, Patch, Third Party Advisory
https://github.com/julianhille/MuhammaraJS/pull/238
Third Party Advisory
https://github.com/julianhille/MuhammaraJS/security/advisories/GHSA-2r7v-cmch-5x26
Scores
CVSS v3
7.5
EPSS
0.0045
EPSS Percentile
63.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-690
Status
published
Products (4)
hummus_project/hummus
muhammara_project/muhammara
< 2.6.2
npm/hummus
0npm
npm/muhammara
3.0.0 - 3.4.0npm
Published
Nov 28, 2022
Tracked Since
Feb 18, 2026