CVE-2022-25765
Published: 09 September 2022
Summary
CVE-2022-25765 is a high-severity an unspecified weakness vulnerability in Fedoraproject Fedora. Its CVSS base score is 7.3 (High).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The pdfkit package is vulnerable to command injection because it fails to properly sanitize input URLs before passing them to an underlying command execution routine. The flaw affects all versions starting from 0.0.0 and carries a CVSS 3.1 base score of 7.3 reflecting network attack vector, low complexity, and no required privileges or user interaction.
An unauthenticated attacker can supply a crafted URL over the network and cause arbitrary commands to execute with the privileges of the pdfkit process, resulting in limited disclosure, modification, or disruption of data.
Fedora has published package-announce advisories that address the affected pdfkit versions, while public exploit code demonstrating the injection has been posted to PacketStorm and the vulnerable source locations are documented in the project repository.
The EPSS probability currently stands at 0.8871 with a recorded peak of 0.8880, indicating sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-6937
Vulnerability details
The package pdfkit from 0.0.0 are vulnerable to Command Injection where the URL is not properly sanitized.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.