CVE-2022-41957

Name: CVE-2022-41957
Creator: NVD / NIST
Published: 2022-11-28T15:15:10.697+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 0.93%

Last modified Jun 17, 2026

CVE-2022-41957 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Muhammara is a node module with c/cpp bindings to modify PDF with JavaScript for node or electron. The package muhammara before 2.6.2 and from 3.0.0 and before 3.3.0, as well as all versions of muhammara's predecessor package hummus, are vulnerable to Denial of Service (DoS) when supplied with a maliciously crafted PDF file to be parsed. EPSS estimates a 0.93% chance of exploitation in the next 30 days.

Description

Muhammara is a node module with c/cpp bindings to modify PDF with JavaScript for node or electron. The package muhammara before 2.6.2 and from 3.0.0 and before 3.3.0, as well as all versions of muhammara's predecessor package hummus, are vulnerable to Denial of Service (DoS) when supplied with a maliciously crafted PDF file to be parsed. The issue has been patched in muhammara version 3.4.0 and the fix has been backported to version 2.6.2. As a workaround, do not process files from untrusted sources. If using hummus, replace the package with muhammara.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

0.93%

56.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-690

Affected Software

Vendor	Product	Versions
Muhammara Project	Muhammara	< 2.6.2
Muhammara Project	Muhammara	>= 3.0.0, < 3.3.0
Hummus Project	Hummus	All versions

References

https://github.com/julianhille/MuhammaraJS/pull/235Issue Tracking, Patch, Third Party Advisory
https://github.com/julianhille/MuhammaraJS/pull/238Issue Tracking, Patch, Third Party Advisory
https://github.com/julianhille/MuhammaraJS/security/advisories/GHSA-2r7v-cmch-5x26Third Party Advisory
https://github.com/julianhille/MuhammaraJS/pull/235Issue Tracking, Patch, Third Party Advisory
https://github.com/julianhille/MuhammaraJS/pull/238Issue Tracking, Patch, Third Party Advisory
https://github.com/julianhille/MuhammaraJS/security/advisories/GHSA-2r7v-cmch-5x26Third Party Advisory

Timeline

Published: Nov 28, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-41957?

How severe is CVE-2022-41957?

CVE-2022-41957 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 0.93% probability of exploitation in the next 30 days.

How do I fix CVE-2022-41957?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-41957?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST