CVE-2022-25940

All versions of package lite-server are vulnerable to Denial of Service (DoS) when an attacker sends an HTTP request and includes control characters that the decodeURI() function is unable to parse.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://gist.github.com/lirantal/832382155e00da92bfd8bb3adea474eb	Exploit Third Party Advisory
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3175617	Exploit Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-LITESERVER-3153540	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lite-server_project:lite-server:-:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2022-12-20 05:15

Updated : 2024-02-28 19:51

NVD link : CVE-2022-25940

Mitre link : CVE-2022-25940

CVE.ORG link : CVE-2022-25940

JSON object : View

Products Affected

lite-server_project

lite-server

CWE

NVD-CWE-Other

{"id": "CVE-2022-25940", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "report@snyk.io", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2022-12-20T05:15:11.683", "references": [{"url": "https://gist.github.com/lirantal/832382155e00da92bfd8bb3adea474eb", "tags": ["Exploit", "Third Party Advisory"], "source": "report@snyk.io"}, {"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3175617", "tags": ["Exploit", "Third Party Advisory"], "source": "report@snyk.io"}, {"url": "https://security.snyk.io/vuln/SNYK-JS-LITESERVER-3153540", "tags": ["Exploit", "Third Party Advisory"], "source": "report@snyk.io"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "All versions of package lite-server are vulnerable to Denial of Service (DoS) when an attacker sends an HTTP request and includes control characters that the decodeURI() function is unable to parse."}, {"lang": "es", "value": "Todas las versiones del paquete lite-server son vulnerables a la Denegaci\u00f3n de Servicio (DoS) cuando un atacante env\u00eda una solicitud HTTP e incluye caracteres de control que la funci\u00f3n decodeURI() no puede analizar."}], "lastModified": "2022-12-29T18:36:30.573", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lite-server_project:lite-server:-:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "B55203D1-F514-4E83-A760-7492D471A648"}], "operator": "OR"}]}], "sourceIdentifier": "report@snyk.io"}