CVE-2022-0355 – CVE-2022-0355 is an information disclosure vuln... (How to Fix)

Q: What is the severity of CVE-2022-0355?

CVE-2022-0355 has a CVSS score of 8.8 (HIGH). CVE-2022-0355 is an information disclosure vulnerability in the NPM simple-get package where sensitive data like authorization headers and cookies are improperly removed before being stored in debug logs. This affects any application using simple-get versions prior to 4.0.1 that has debug logging enabled, potentially exposing authentication credentials and session tokens.

📋 TL;DR

CVE-2022-0355 is an information disclosure vulnerability in the NPM simple-get package where sensitive data like authorization headers and cookies are improperly removed before being stored in debug logs. This affects any application using simple-get versions prior to 4.0.1 that has debug logging enabled, potentially exposing authentication credentials and session tokens.

💻 Affected Systems

Products:

simple-get NPM package

Versions: All versions prior to 4.0.1

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when debug logging is enabled. The vulnerability exists in the debug logging functionality that improperly handles sensitive headers.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain access to authentication tokens, session cookies, or API keys, leading to account takeover, data breaches, or lateral movement within systems.

🟠

Likely Case

Sensitive credentials exposed in debug logs that may be accessible to unauthorized users or logged to insecure locations.

🟢

If Mitigated

Limited exposure if debug logging is disabled or logs are properly secured with restricted access.

🌐 Internet-Facing: MEDIUM - Exploitation requires access to debug logs which are typically not exposed externally, but could be if logs are stored in accessible locations.

🏢 Internal Only: HIGH - Internal attackers or compromised accounts with access to debug logs could easily extract sensitive credentials.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to debug logs where sensitive information is stored. No authentication bypass is needed once log access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.0.1

Vendor Advisory: https://github.com/advisories/GHSA-wpg7-2c88-r8xv

Restart Required: Yes

Instructions:

1. Update package.json to specify simple-get version 4.0.1 or higher. 2. Run 'npm update simple-get' or 'yarn upgrade simple-get'. 3. Restart the application to load the patched version.

🔧 Temporary Workarounds

Disable debug logging

all

Disable debug logging in simple-get configuration to prevent sensitive data from being logged.

Set DEBUG environment variable to exclude simple-get: DEBUG=*,-simple-get*

Secure log storage

all

Implement strict access controls and encryption for log files containing debug information.

🧯 If You Can't Patch

Disable debug logging entirely in production environments
Implement log filtering to remove sensitive headers before storage

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list simple-get' to see if version is below 4.0.1

Check Version:

npm list simple-get | grep simple-get

Verify Fix Applied:

Confirm simple-get version is 4.0.1 or higher with 'npm list simple-get'

📡 Detection & Monitoring

Log Indicators:

Authorization headers, cookies, or other sensitive data appearing in debug logs from simple-get requests

Network Indicators:

Unusual access patterns to log files or debug endpoints

SIEM Query:

source="application.log" AND "simple-get" AND ("authorization:" OR "cookie:")

📊 Metadata

CVE ID: CVE-2022-0355

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-212

Published: January 26, 2022

Last Updated: February 24, 2026

🔗 References

https://github.com/advisories/GHSA-wpg7-2c88-r8xv Third Party Advisory
https://github.com/feross/simple-get/commit/e4af095e06cd69a9235013e8507e220a79b9684f Patch,Third Party Advisory
https://huntr.dev/bounties/42c79c23-6646-46c4-871d-219c0d4b4e31 Exploit,Third Party Advisory
https://github.com/advisories/GHSA-wpg7-2c88-r8xv Third Party Advisory
https://github.com/feross/simple-get/commit/e4af095e06cd69a9235013e8507e220a79b9684f Patch,Third Party Advisory
https://huntr.dev/bounties/42c79c23-6646-46c4-871d-219c0d4b4e31 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-0355, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Simple Get by Simple Get Project

Simple Get by Simple Get Project

Simple Get by Simple Get Project

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable debug logging

Secure log storage

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities