Cyber Resilience

CVE-2022-25765

HighPublic PoC

Published: 09 September 2022

Published
09 September 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.8871 99.5th percentile
Risk Priority 68 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-25765 is a high-severity an unspecified weakness vulnerability in Fedoraproject Fedora. Its CVSS base score is 7.3 (High).

Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The pdfkit package is vulnerable to command injection because it fails to properly sanitize input URLs before passing them to an underlying command execution routine. The flaw affects all versions starting from 0.0.0 and carries a CVSS 3.1 base score of 7.3 reflecting network attack vector, low complexity, and no required privileges or user interaction.

An unauthenticated attacker can supply a crafted URL over the network and cause arbitrary commands to execute with the privileges of the pdfkit process, resulting in limited disclosure, modification, or disruption of data.

Fedora has published package-announce advisories that address the affected pdfkit versions, while public exploit code demonstrating the injection has been posted to PacketStorm and the vulnerable source locations are documented in the project repository.

The EPSS probability currently stands at 0.8871 with a recorded peak of 0.8880, indicating sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

The package pdfkit from 0.0.0 are vulnerable to Command Injection where the URL is not properly sanitized.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

pdfkit project
pdfkit
≥ 0.0.0
fedoraproject
fedora
35, 36, 37

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References