CVE-2022-44019
Published: 30 October 2022
Summary
CVE-2022-44019 is a high-severity OS Command Injection (CWE-78) vulnerability in Totaljs Total.Js. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 11.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-44019 is an OS command injection vulnerability (CWE-78) affecting Total.js version 4 prior to commit 0e5ace7. The flaw resides in the /api/common/ping endpoint, which passes an unsanitized host parameter containing shell metacharacters directly to a system command, enabling arbitrary command execution.
An attacker with low-privileged authenticated access can exploit the issue over the network by submitting a crafted request to the ping endpoint. Successful exploitation grants remote code execution, allowing the attacker to compromise confidentiality, integrity, and availability on the affected server with a CVSS score of 8.8.
Public references, including the Total.js code repository issue and a technical write-up, point to the patch introduced in commit 0e5ace7. Upgrading to a version containing this fix is the primary mitigation.
EPSS scores for the CVE rose from lower values to a peak of 0.0808 on 2025-01-22 before receding to the current 0.0362, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-46982
Vulnerability details
In Total.js 4 before 0e5ace7, /api/common/ping can achieve remote command execution via shell metacharacters in the host parameter.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.