CVE-2022-25940 - Vulnerability Details - OpenCVE

All versions of package lite-server are vulnerable to Denial of Service (DoS) when an attacker sends an HTTP request and includes control characters that the decodeURI() function is unable to parse.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Lite-server Project	Lite-server

Configuration 1 [-]

cpe:2.3:a:lite-server_project:lite-server:-:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://gist.github.com/lirantal/832382155e00da92bfd8bb3adea474eb
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3175617
https://security.snyk.io/vuln/SNYK-JS-LITESERVER-3153540

History

No history.

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2022-12-21T01:21:43.830108Z

Updated: 2024-09-16T23:41:49.447Z

Reserved: 2022-02-24T00:00:00

Link: CVE-2022-25940

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-12-20T05:15:11.683

Modified: 2024-11-21T06:53:14.910

Link: CVE-2022-25940

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-25940", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "dateUpdated": "2024-09-16T23:41:49.447Z", "dateReserved": "2022-02-24T00:00:00", "datePublished": "2022-12-21T01:21:43.830108Z"}, "containers": {"cna": {"title": "Denial of Service (DoS)", "datePublic": "2022-12-20T00:00:00", "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2022-12-20T00:00:00"}, "descriptions": [{"lang": "en", "value": "All versions of package lite-server are vulnerable to Denial of Service (DoS) when an attacker sends an HTTP request and includes control characters that the decodeURI() function is unable to parse."}], "affected": [{"vendor": "n/a", "product": "lite-server", "versions": [{"version": "0", "status": "affected", "lessThan": "unspecified", "versionType": "custom"}]}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-LITESERVER-3153540"}, {"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3175617"}, {"url": "https://gist.github.com/lirantal/832382155e00da92bfd8bb3adea474eb"}], "credits": [{"lang": "en", "value": "Liran Tal"}, {"lang": "en", "value": "Snyk"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "baseScore": 7.5, "temporalScore": 7.1, "baseSeverity": "HIGH", "temporalSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "Denial of Service (DoS)"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:49:44.375Z"}, "title": "CVE Program Container", "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-LITESERVER-3153540", "tags": ["x_transferred"]}, {"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3175617", "tags": ["x_transferred"]}, {"url": "https://gist.github.com/lirantal/832382155e00da92bfd8bb3adea474eb", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lite-server_project:lite-server:-:*:*:*:*:node.js:*:*", "matchCriteriaId": "B55203D1-F514-4E83-A760-7492D471A648", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "All versions of package lite-server are vulnerable to Denial of Service (DoS) when an attacker sends an HTTP request and includes control characters that the decodeURI() function is unable to parse."}, {"lang": "es", "value": "Todas las versiones del paquete lite-server son vulnerables a la Denegaci\u00f3n de Servicio (DoS) cuando un atacante env\u00eda una solicitud HTTP e incluye caracteres de control que la funci\u00f3n decodeURI() no puede analizar."}], "id": "CVE-2022-25940", "lastModified": "2024-11-21T06:53:14.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "report@snyk.io", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-20T05:15:11.683", "references": [{"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://gist.github.com/lirantal/832382155e00da92bfd8bb3adea474eb"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3175617"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JS-LITESERVER-3153540"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://gist.github.com/lirantal/832382155e00da92bfd8bb3adea474eb"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3175617"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JS-LITESERVER-3153540"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}