CVE-2022-41957: Unchecked Return Value to NULL Pointer Dereference

November 28, 2022 (updated December 1, 2022)

Muhammara is a node module with c/cpp bindings to modify PDF with JavaScript for node or electron. The package muhammara before 2.6.2 and from 3.0.0 and before 3.3.0, as well as all versions of muhammara’s predecessor package hummus, is vulnerable to Denial of Service (DoS) when supplied with a maliciously crafted PDF file to be parsed. The issue has been patched in muhammara version 3.4.0 and the fix has been backported to version 2.6.2. As a workaround, do not process files from untrusted sources. If using hummus, replace the package with muhammara.

References

github.com/julianhille/MuhammaraJS/pull/235
github.com/julianhille/MuhammaraJS/pull/238
github.com/julianhille/MuhammaraJS/security/advisories/GHSA-2r7v-cmch-5x26
nvd.nist.gov/vuln/detail/CVE-2022-41957

Detect and mitigate CVE-2022-41957 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →