CVE-2022-32212

Advisory lineage Upstream: 0 Downstream: 25
Modified
Published: 14 Jul 2022, 00:00
Last modified:30 Apr 2025, 22:24

Vulnerability Summary

Overall Risk (default)
medium
32/100
CVSS Score
8.1 HIGH
v3.1 (nvd)
EPSS Score
0.06% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

14 Jul 2022, 00:00
Published
Vulnerability first disclosed
30 Apr 2025, 22:24
Last Modified
Vulnerability information updated

Description

A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.

CVSS Metrics

  • v3.1HIGHScore: 8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.06% Percentile: 20%

Techniques & Countermeasures

  • CWE-78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

    The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

  • CWE-284Improper Access Control

    The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Affected Systems

  • debiandebian_linux

    10.0 | 11.0

  • fedoraprojectfedora

    35 | 36 | 37

  • nodejsnode

    ≥ 4.0, < 4.* | ≥ 5.0, < 5.* | ≥ 6.0, < 6.* | ≥ 7.0, < 7.* | ≥ 8.0, < 8.* | ≥ 9.0, < 9.* | ≥ 10.0, < 10.* | ≥ 11.0, < 11.* | ≥ 12.0, < 12.* | ≥ 13.0, < 13.* | ≥ 14.0, < 14.20.1 | ≥ 15.0, < 15.* | ≥ 16.0, < 16.17.1 | ≥ 17.0, < 17.* | ≥ 18.0, < 18.9.1

  • nodejsnode.js

    ≥ 14.0.0, ≤ 14.14.0 | ≥ 14.15.0, < 14.20.1 | ≥ 16.0.0, ≤ 16.12.0 | ≥ 16.13.0, < 16.17.1 | ≥ 18.0.0, < 18.5.0

  • siemenssinec_ins

    < 1.0 | 1.0 | 1.0:sp1

References (1)