CVE-2022-22138 – CVE-2022-22138 is a vulnerability in the fast-s... (How to Fix)

Q: What is the severity of CVE-2022-22138?

CVE-2022-22138 has a CVSS score of 7.5 (HIGH). CVE-2022-22138 is a vulnerability in the fast-string-search npm package where passing non-string inputs causes incorrect computations, leading to memory access violations and segmentation faults in the V8 JavaScript engine. This allows attackers to cause Denial of Service (DoS) by crashing Node.js applications. All users of the fast-string-search package are affected.

📋 TL;DR

CVE-2022-22138 is a vulnerability in the fast-string-search npm package where passing non-string inputs causes incorrect computations, leading to memory access violations and segmentation faults in the V8 JavaScript engine. This allows attackers to cause Denial of Service (DoS) by crashing Node.js applications. All users of the fast-string-search package are affected.

💻 Affected Systems

Products:

fast-string-search npm package

Versions: All versions before 1.0.4

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Any Node.js application using fast-string-search with default configuration is vulnerable when processing non-string inputs.

📦 What is this software?

Fast String Search by Fast String Search Project

View all CVEs affecting Fast String Search →

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application crash and unavailability of the Node.js service, potentially affecting dependent services and causing extended downtime.

🟠

Likely Case

Application crashes when processing malicious or malformed input, requiring manual restart and causing temporary service disruption.

🟢

If Mitigated

Minimal impact with proper input validation and error handling preventing the crash, though performance may be affected.

🌐 Internet-Facing: HIGH - Web applications using this package are directly exposed to malicious input from untrusted sources.

🏢 Internal Only: MEDIUM - Internal applications could still be affected by malformed data or internal attackers, but attack surface is smaller.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending non-string inputs to functions using fast-string-search. The vulnerability is well-documented and easy to trigger.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.4

Vendor Advisory: https://github.com/lemire/fast-string-search/security/advisories/GHSA-4vq7-88gq-mg2c

Restart Required: Yes

Instructions:

1. Update package.json to specify 'fast-string-search': '^1.0.4'. 2. Run 'npm update fast-string-search'. 3. Restart your Node.js application. 4. Test that the application functions correctly with various input types.

🔧 Temporary Workarounds

Input validation wrapper

all

Wrap calls to fast-string-search functions with input type checking to ensure only strings are passed

// Example JavaScript code:
function safeSearch(text, pattern) {
  if (typeof text !== 'string' || typeof pattern !== 'string') {
    throw new Error('Input must be strings');
  }
  return fastStringSearch(text, pattern);
}

🧯 If You Can't Patch

Implement strict input validation for all data passed to fast-string-search functions
Use application-level monitoring and auto-restart mechanisms to minimize downtime from crashes

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list fast-string-search' to see if version is below 1.0.4

Check Version:

npm list fast-string-search | grep fast-string-search

Verify Fix Applied:

After updating, run 'npm list fast-string-search' to confirm version 1.0.4 or higher is installed

📡 Detection & Monitoring

Log Indicators:

Node.js segmentation fault errors
Application crashes with memory access violation messages
Unexpected process terminations

Network Indicators:

Sudden loss of service from Node.js applications
Increased error rates in load balancers

SIEM Query:

source="nodejs" AND ("segmentation fault" OR "SIGSEGV" OR "illegal access")

📊 Metadata

CVE ID: CVE-2022-22138

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-682

Published: June 17, 2022

Last Updated: November 21, 2024

🔗 References

https://snyk.io/vuln/SNYK-JS-FASTSTRINGSEARCH-2392367 Exploit,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-FASTSTRINGSEARCH-2392367 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-22138, you might also want to check these: