CVE-2022-25851
Denial of Service (DoS) vulnerability in jpeg-js (npm)
What is CVE-2022-25851 About?
This vulnerability is a Denial of Service (DoS) within the jpeg-js package versions prior to 0.4.4. It allows an attacker to cause a program to enter an infinite loop, rendering the application unresponsive. Exploitation is relatively easy, requiring only a specially crafted input.
Affected Software
Technical Details
The vulnerability lies within the jpeg-js package. When processing a specific kind of malicious input, the program encounters a logical flaw that leads it into an infinite loop. This prevents the program from progressing further and consuming all available resources, effectively causing a Denial of Service. The attack vector is the provision of this crafted input to the vulnerable jpeg-js component.
What is the Impact of CVE-2022-25851?
Successful exploitation may allow attackers to disrupt service availability, cause system unresponsiveness, and potentially lead to resource exhaustion.
What is the Exploitability of CVE-2022-25851?
Exploitation of this vulnerability is considered low to medium complexity, as it primarily involves supplying a specially crafted input. There are no particular authentication or privilege requirements to trigger the infinite loop, as the vulnerability is in how the library processes data. This is typically a remote vulnerability if the jpeg-js package is used in a service that processes external input, but could also be local if an attacker can feed input into a local application. The primary risk factor is any application that accepts and processes image data using the vulnerable library version.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-25851?
About the Fix from Resolved Security
The patch enforces checks to ensure JPEG sampling factors (h and v) are above zero, throwing an error if invalid values are encountered, and initializes their maximum values to 1 per the JPEG standard. This fixes CVE-2022-25851 by preventing crafted JPEGs with invalid (zero or negative) sampling factors from triggering out-of-bounds memory access or causing application crashes.
Available Upgrade Options
- jpeg-js
- <0.4.4 → Upgrade to 0.4.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/jpeg-js/jpeg-js/commit/9ccd35fb5f55a6c4f1902ac5b0f270f675750c27
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2860295
- https://github.com/jpeg-js/jpeg-js/issues/105
- https://github.com/jpeg-js/jpeg-js
- https://github.com/jpeg-js/jpeg-js/commit/9ccd35fb5f55a6c4f1902ac5b0f270f675750c27
- https://github.com/jpeg-js/jpeg-js/pull/106/
- https://snyk.io/vuln/SNYK-JS-JPEGJS-2859218
- https://nvd.nist.gov/vuln/detail/CVE-2022-25851
- https://osv.dev/vulnerability/GHSA-xvf7-4v9q-58w6
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2860295
What are Similar Vulnerabilities to CVE-2022-25851?
Similar Vulnerabilities: CVE-2021-39144 , CVE-2021-38297 , CVE-2021-42340 , CVE-2020-2849 , CVE-2018-1000627
