CVE-2022-0666
Published: 18 February 2022
Summary
CVE-2022-0666 is a high-severity CRLF Injection (CWE-93) vulnerability in Microweber Microweber. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 4.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-0666 is a CRLF injection vulnerability, tracked under CWE-93, that affects the microweber/microweber package distributed via Packagist. It stems from insufficient input filtering at locations such as https://demo.microweber.org/ and is present in all versions prior to 1.2.11, allowing crafted input to trigger unintended exposure of stack traces.
An unauthenticated remote attacker can supply malicious input over the network to exploit the flaw, resulting in disclosure of sensitive stack trace data and a high confidentiality impact without any requirement for user interaction or privileges.
The referenced GitHub commits and huntr.dev bounty reports document the remediation, which consists of adding proper filtering logic; the fix is included in release 1.2.11 and later.
The EPSS score rose from lower values to a peak of 0.2890 on 2025-12-11 before receding to the current 0.1724, indicating that exploitation interest increased after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-0798
Vulnerability details
CRLF Injection leads to Stack Trace Exposure due to lack of filtering at https://demo.microweber.org/ in Packagist microweber/microweber prior to 1.2.11.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.