CVE-2022-25881

Published Jan 31, 2023

Last updated a year ago

CVSS medium 5.3
npm

Overview

Description
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
Source
report@snyk.io
NVD status
Modified

Risk scores

CVSS 3.1

Type
Primary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity
HIGH

Weaknesses

report@snyk.io
CWE-1333
nvd@nist.gov
CWE-1333
134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-1333

Social media

Hype score
Not currently trending

Configurations

Related CVEs

  1. Nx Console Embedded Malicious Code VulnerabilityCVE-2026-48027
  2. Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation logic, causing excessive CPU consumption and potentially stalling or crashing the process.CVE-2026-9496
  3. TanStack Unspecified VulnerabilityCVE-2026-45321
  4. Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnProperty guards, making them exploitable as prototype pollution gadgets. When Object.prototype is polluted by another dependency in the same process, axios silently picks up these polluted values on every outbound HTTP request. This issue has been patched in version 1.15.2.CVE-2026-42264
  5. NPM package next-npm-version1.0.1 is vulnerable to Command injection.CVE-2025-63706

References

Sources include official advisories and independent security research.