CVE-2022-25324
📋 TL;DR
CVE-2022-25324 is a Denial of Service vulnerability in the bignum npm package where improper type checking in the .powm function causes V8 engine crashes that bypass Node.js try/catch blocks. This affects any Node.js application using vulnerable versions of the bignum package for big integer arithmetic operations. The crash leads to immediate process termination regardless of error handling.
💻 Affected Systems
- node-bignum
📦 What is this software?
Bignum by Bignum Project
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption with Node.js process crashes causing application downtime and potential cascading failures in dependent services.
Likely Case
Application crashes when processing specific mathematical operations with malformed inputs, requiring process restarts and causing intermittent availability issues.
If Mitigated
Limited impact with proper input validation and monitoring that catches crashes quickly for rapid recovery.
🎯 Exploit Status
Exploitation requires calling the vulnerable .powm function with malformed second argument. Public proof-of-concept code exists demonstrating the crash.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specifically versioned - package appears unmaintained
Vendor Advisory: https://github.com/justmoon/node-bignum/security/advisories
Restart Required: Yes
Instructions:
1. Remove bignum package: npm uninstall bignum
2. Consider migrating to maintained alternatives like bn.js or big-integer
3. Update package.json to prevent reinstallation
4. Restart all Node.js processes
🔧 Temporary Workarounds
Input validation wrapper
allWrap all bignum.powm() calls with type checking of second argument
// Before calling bignum.powm(a, b, m):
// if (typeof b !== 'number' && !(b instanceof bignum)) {
// throw new Error('Invalid second argument type');
// }
Package replacement
allReplace bignum with bn.js which has similar functionality
npm uninstall bignum
npm install bn.js
🧯 If You Can't Patch
- Implement strict input validation for all mathematical operations using bignum
- Deploy monitoring to detect and automatically restart crashed Node.js processes
🔍 How to Verify
Check if Vulnerable:
Check package.json or node_modules for bignum dependency: npm list bignumCheck Version:
npm list bignum | grep bignumVerify Fix Applied:
Confirm bignum is removed from dependencies and test .powm functionality with alternative library📡 Detection & Monitoring
Log Indicators:
- Node.js process crashes with V8 fatal errors
- Application logs showing unhandled exceptions from mathematical operations
- Process monitor alerts for repeated Node.js restarts
Network Indicators:
- Sudden HTTP 503/500 responses from previously healthy endpoints
- Increased timeout errors for mathematical API calls
SIEM Query:
source="application.logs" AND ("FATAL ERROR" OR "Process crashed" OR "uncaughtException") AND message CONTAINS "bignum"