CVE-2022-25885: 
JavaScript vulnerability analysis and mitigation

CVE-2022-25885 affects the muhammara package before version 2.6.0 and all versions of the hummus package. The vulnerability was discovered and disclosed on October 31, 2022, by Julian Hille. This is a Denial of Service (DoS) vulnerability that occurs when PDFStreamForResponse() is used with invalid data (Snyk Advisory).

The vulnerability is caused by improper input validation in the PDFStreamForResponse function. When null or invalid data is passed to PDFStreamForResponse(), it leads to a crash in the v8:V8:toLocalEmpty call, causing memory corruption. The vulnerability has a CVSS v3.1 base score of 7.5 (High), with attack vector being Network, attack complexity Low, requiring no privileges or user interaction (Snyk Advisory).

When exploited, this vulnerability results in a total loss of availability, causing the application to crash. The attacker can fully deny access to resources in the impacted component, either sustained while the attack continues or persistent even after the attack completes (Snyk Advisory).

The vulnerability has been fixed in muhammara version 2.6.0 and hummus version 1.0.111. Users should upgrade to these or later versions. The fix involves adding proper input validation checks for the PDFStreamForResponse function (GitHub Commit).