CVE-2022-39381: 
JavaScript vulnerability analysis and mitigation

The package muhammara before 2.6.0 and all versions of package hummus (its predecessor) contain a vulnerability that allows Denial of Service (DoS) when supplied with a maliciously crafted PDF file to be appended to another (GitHub Advisory, NVD). The vulnerability was discovered in 2022 and affects the PDF processing functionality of these Node.js modules.

The vulnerability stems from an unchecked return value leading to a NULL pointer dereference in PDFDocumentHandler.cpp. This occurs specifically when attempting to append maliciously crafted PDF files to another PDF document. The issue has been assigned CWE-690 classification and has a CVSS v3.1 base score of 7.5 (High severity), indicating a network-accessible attack vector with low complexity and no required privileges or user interaction (GitHub Advisory).

When exploited, this vulnerability can cause a Denial of Service condition by crashing the application when processing certain PDF files. The impact is particularly severe as it affects the core PDF processing functionality and can lead to service disruption when handling malformed PDF documents (GitHub Advisory).

The vulnerability has been patched in muhammara version 2.6.0. For users of the hummus package, no patch is available as the package is no longer maintained. The recommended workaround is to avoid processing files from untrusted sources. Users of hummus should migrate to the muhammara package and update to version 2.6.0 or later (GitHub Advisory).