CVE-2022-25881
Inefficient Regular Expression Complexity vulnerability in http-cache-semantics (npm)
What is CVE-2022-25881 About?
The 'http-cache-semantics' package is vulnerable to a Regular Expression Denial of Service (ReDoS) due to inefficient regex complexity. This can lead to a denial of service if a web server using the library processes specially crafted malicious request headers. Exploiting this is relatively easy for an attacker who can send HTTP requests.
Affected Software
- http-cache-semantics
- <4.1.1
- org.webjars.npm:http-cache-semantics
- <4.1.1
Technical Details
This vulnerability resides in the 'http-cache-semantics' package prior to version 4.1.1. It specifically involves an inefficiently constructed regular expression used when processing HTTP request header values. When a server employing this library attempts to parse cache policy information from a request containing a maliciously crafted, complex string in its headers, the flawed regular expression can enter a state of catastrophic backtracking. This excessive processing consumes significant CPU resources, leading to a denial of service for the server as it becomes unresponsive to legitimate requests. The attack vector is through sending specific, malformed HTTP request headers.
What is the Impact of CVE-2022-25881?
Successful exploitation may allow attackers to cause a denial of service (DoS) condition, making the affected service unresponsive or unavailable to legitimate users.
What is the Exploitability of CVE-2022-25881?
Exploitation requires sending a specially crafted HTTP request header directly to the vulnerable server. The complexity is low as it primarily involves forming a malicious string for a header. No authentication or elevated privileges are required, making it a remote, unauthenticated attack. The primary prerequisite is that the target server utilizes the affected 'http-cache-semantics' library to parse request headers for cache policy. The likelihood of exploitation increases if the server exposes its HTTP endpoint publicly and does not implement input validation or rate limiting on incoming requests.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-25881?
About the Fix from Resolved Security
This patch corrects the parsing of HTTP Cache-Control headers by ensuring that directive keys and values are properly trimmed of whitespace, which prevents attackers from abusing poorly-parsed headers to inject or bypass cache directives. By fixing how the header is split and trimming inputs, it addresses the root cause of CVE-2022-25881, which allowed malicious Cache-Control directives via crafted whitespace, leading to potential cache poisoning or evasion.
Available Upgrade Options
- http-cache-semantics
- <4.1.1 → Upgrade to 4.1.1
- org.webjars.npm:http-cache-semantics
- <4.1.1 → Upgrade to 4.1.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-rc47-6667-2j5j
- https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332
- https://security.netapp.com/advisory/ntap-20230622-0008/
- https://github.com/kornelski/http-cache-semantics
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332
- https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83
- https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74
- https://nvd.nist.gov/vuln/detail/CVE-2022-25881
- https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783
What are Similar Vulnerabilities to CVE-2022-25881?
Similar Vulnerabilities: CVE-2022-25883 , CVE-2021-3918 , CVE-2021-42200 , CVE-2021-45061 , CVE-2021-44716
