Cyber Resilience

CVE-2022-0666

HighPublic PoC

Published: 18 February 2022

Published
18 February 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.1724 95.2th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-0666 is a high-severity CRLF Injection (CWE-93) vulnerability in Microweber Microweber. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 4.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-0666 is a CRLF injection vulnerability, tracked under CWE-93, that affects the microweber/microweber package distributed via Packagist. It stems from insufficient input filtering at locations such as https://demo.microweber.org/ and is present in all versions prior to 1.2.11, allowing crafted input to trigger unintended exposure of stack traces.

An unauthenticated remote attacker can supply malicious input over the network to exploit the flaw, resulting in disclosure of sensitive stack trace data and a high confidentiality impact without any requirement for user interaction or privileges.

The referenced GitHub commits and huntr.dev bounty reports document the remediation, which consists of adding proper filtering logic; the fix is included in release 1.2.11 and later.

The EPSS score rose from lower values to a peak of 0.2890 on 2025-12-11 before receding to the current 0.1724, indicating that exploitation interest increased after disclosure.

EU & UK References

Vulnerability details

CRLF Injection leads to Stack Trace Exposure due to lack of filtering at https://demo.microweber.org/ in Packagist microweber/microweber prior to 1.2.11.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microweber
microweber
≤ 1.2.11

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References