CVE-2022-25940 - Vulnerability Details - OpenCVE

All versions of package lite-server are vulnerable to Denial of Service (DoS) when an attacker sends an HTTP request and includes control characters that the decodeURI() function is unable to parse.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00508.

Exploitation poc

Automatable yes

Technical Impact partial

Vendors	Products
Lite-server Project Subscribe	Lite-server Subscribe

Configuration 1 [-]

cpe:2.3:a:lite-server_project:lite-server:-:*:*:*:*:node.js:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-7561	lite-server vulnerable to Denial of Service
Github GHSA	GHSA-89w7-5q45-r53w	lite-server vulnerable to Denial of Service

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://gist.github.com/lirantal/832382155e00da92bfd8bb3adea474eb
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3175617
https://security.snyk.io/vuln/SNYK-JS-LITESERVER-3153540

History

Wed, 16 Apr 2025 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-20
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2022-12-21T01:21:43.830Z

Updated: 2025-04-16T18:34:01.838Z

Reserved: 2022-02-24T00:00:00.000Z

Link: CVE-2022-25940

Vulnrichment

Updated: 2024-08-03T04:49:44.375Z

NVD

Status : Modified

Published: 2022-12-20T05:15:11.683

Modified: 2025-04-16T19:15:45.770

Link: CVE-2022-25940

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-25940", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "dateUpdated": "2025-04-16T18:34:01.838Z", "dateReserved": "2022-02-24T00:00:00.000Z", "datePublished": "2022-12-21T01:21:43.830Z"}, "containers": {"cna": {"title": "Denial of Service (DoS)", "datePublic": "2022-12-20T00:00:00.000Z", "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2022-12-20T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "All versions of package lite-server are vulnerable to Denial of Service (DoS) when an attacker sends an HTTP request and includes control characters that the decodeURI() function is unable to parse."}], "affected": [{"vendor": "n/a", "product": "lite-server", "versions": [{"version": "0", "status": "affected", "lessThan": "unspecified", "versionType": "custom"}]}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-LITESERVER-3153540"}, {"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3175617"}, {"url": "https://gist.github.com/lirantal/832382155e00da92bfd8bb3adea474eb"}], "credits": [{"lang": "en", "value": "Liran Tal"}, {"lang": "en", "value": "Snyk"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "baseScore": 7.5, "temporalScore": 7.1, "baseSeverity": "HIGH", "temporalSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "Denial of Service (DoS)"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:49:44.375Z"}, "title": "CVE Program Container", "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-LITESERVER-3153540", "tags": ["x_transferred"]}, {"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3175617", "tags": ["x_transferred"]}, {"url": "https://gist.github.com/lirantal/832382155e00da92bfd8bb3adea474eb", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-20", "lang": "en", "description": "CWE-20 Improper Input Validation"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-16T18:33:34.555541Z", "id": "CVE-2022-25940", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T18:34:01.838Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-LITESERVER-3153540", "tags": ["x_transferred"]}, {"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3175617", "tags": ["x_transferred"]}, {"url": "https://gist.github.com/lirantal/832382155e00da92bfd8bb3adea474eb", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:49:44.375Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-25940", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-16T18:33:34.555541Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T18:33:57.808Z"}}], "cna": {"title": "Denial of Service (DoS)", "credits": [{"lang": "en", "value": "Liran Tal"}, {"lang": "en", "value": "Snyk"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", "temporalScore": 7.1, "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "temporalSeverity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "n/a", "product": "lite-server", "versions": [{"status": "affected", "version": "0", "lessThan": "unspecified", "versionType": "custom"}]}], "datePublic": "2022-12-20T00:00:00.000Z", "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-LITESERVER-3153540"}, {"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3175617"}, {"url": "https://gist.github.com/lirantal/832382155e00da92bfd8bb3adea474eb"}], "descriptions": [{"lang": "en", "value": "All versions of package lite-server are vulnerable to Denial of Service (DoS) when an attacker sends an HTTP request and includes control characters that the decodeURI() function is unable to parse."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Denial of Service (DoS)"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2022-12-20T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2022-25940", "state": "PUBLISHED", "dateUpdated": "2025-04-16T18:34:01.838Z", "dateReserved": "2022-02-24T00:00:00.000Z", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "datePublished": "2022-12-21T01:21:43.830Z", "assignerShortName": "snyk"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lite-server_project:lite-server:-:*:*:*:*:node.js:*:*", "matchCriteriaId": "B55203D1-F514-4E83-A760-7492D471A648", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "All versions of package lite-server are vulnerable to Denial of Service (DoS) when an attacker sends an HTTP request and includes control characters that the decodeURI() function is unable to parse."}, {"lang": "es", "value": "Todas las versiones del paquete lite-server son vulnerables a la Denegaci\u00f3n de Servicio (DoS) cuando un atacante env\u00eda una solicitud HTTP e incluye caracteres de control que la funci\u00f3n decodeURI() no puede analizar."}], "id": "CVE-2022-25940", "lastModified": "2025-04-16T19:15:45.770", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "report@snyk.io", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-20T05:15:11.683", "references": [{"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://gist.github.com/lirantal/832382155e00da92bfd8bb3adea474eb"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3175617"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JS-LITESERVER-3153540"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://gist.github.com/lirantal/832382155e00da92bfd8bb3adea474eb"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3175617"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JS-LITESERVER-3153540"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}