Vulnerability Details : CVE-2022-31110
RSSHub is an open source, extensible RSS feed generator. In commits prior to 5c4177441417 passing some special values to the `filter` and `filterout` parameters can cause an abnormally high CPU. This results in an impact on the performance of the servers and RSSHub services which may lead to a denial of service. This issue has been fixed in commit 5c4177441417 and all users are advised to upgrade. There are no known workarounds for this issue.
Vulnerability category: Denial of service
Products affected by CVE-2022-31110
- cpe:2.3:a:rsshub:rsshub:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-31110
0.22%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 61 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-31110
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST | |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
3.9
|
1.4
|
GitHub, Inc. |
CWE ids for CVE-2022-31110
-
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Assigned by: security-advisories@github.com (Secondary)
-
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-31110
-
https://github.com/DIYgod/RSSHub/issues/10045
[Vulnerability Report Disclosure: ReDoS] Catastrophic Backtracking in User-supplied Regular Expression · Issue #10045 · DIYgod/RSSHub · GitHubExploit;Issue Tracking;Mitigation;Third Party Advisory
-
https://github.com/DIYgod/RSSHub/security/advisories/GHSA-jvxx-v45p-v5vf
Denial of Service (DoS) vulnerability · Advisory · DIYgod/RSSHub · GitHubPatch;Third Party Advisory
-
https://github.com/DIYgod/RSSHub/commit/5c4177441417b44a6e45c3c63e9eac2504abeb5b
fix: use re2, thank @Rongronggg9 · DIYgod/RSSHub@5c41774 · GitHubPatch;Third Party Advisory
Jump to