CVE-2022-25851 – CVE-2022-25851 is a denial-of-service vulnerabi... (How to Fix)

📋 TL;DR

CVE-2022-25851 is a denial-of-service vulnerability in jpeg-js library where specially crafted JPEG images cause infinite processing loops, consuming all available CPU resources. This affects any application using vulnerable versions of jpeg-js for JPEG image processing, particularly web applications and services that process user-uploaded images.

💻 Affected Systems

Products:

jpeg-js
applications using jpeg-js library

Versions: All versions before 0.4.4

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Any application that processes JPEG images using jpeg-js is vulnerable

📦 What is this software?

Jpeg Js by Jpeg Js Project

View all CVEs affecting Jpeg Js →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion, potentially affecting multiple services on shared infrastructure

🟠

Likely Case

Degraded performance or temporary unavailability of image processing functionality

🟢

If Mitigated

Minimal impact with proper input validation and resource limits

🌐 Internet-Facing: HIGH - User-uploaded images are common attack vector

🏢 Internal Only: MEDIUM - Internal users could still trigger DoS

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires only a malicious JPEG file; trivial to weaponize

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.4.4 and later

Vendor Advisory: https://github.com/jpeg-js/jpeg-js/security/advisories/GHSA-4j6c-4wq9-5q49

Restart Required: Yes

Instructions:

1. Update package.json to require jpeg-js >=0.4.4
2. Run 'npm update jpeg-js' or 'yarn upgrade jpeg-js'
3. Restart all affected applications

🔧 Temporary Workarounds

Input validation and size limits

all

Implement strict validation of JPEG files before processing

// JavaScript example: validate file size and type before processing

Process timeout

all

Set timeout limits for image processing operations

// Use setTimeout or process timeouts in your image processing code

🧯 If You Can't Patch

Implement strict file upload restrictions and validation
Deploy resource monitoring and automatic restart for hung processes

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list jpeg-js' to see installed version

Check Version:

npm list jpeg-js | grep jpeg-js

Verify Fix Applied:

Confirm version is 0.4.4 or higher with 'npm list jpeg-js'

📡 Detection & Monitoring

Log Indicators:

High CPU usage spikes
Process timeouts in image processing
Repeated process restarts

Network Indicators:

Increased uploads of JPEG files
Service degradation after image uploads

SIEM Query:

source="application" AND ("CPU usage" > 90% OR "timeout" OR "image processing")

📊 Metadata

CVE ID: CVE-2022-25851

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-835

Published: June 10, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/jpeg-js/jpeg-js/commit/9ccd35fb5f55a6c4f1902ac5b0f270f675750c27 Patch,Third Party Advisory
https://github.com/jpeg-js/jpeg-js/issues/105 Exploit,Issue Tracking,Third Party Advisory
https://github.com/jpeg-js/jpeg-js/pull/106/ Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2860295 Third Party Advisory
https://snyk.io/vuln/SNYK-JS-JPEGJS-2859218 Third Party Advisory
https://github.com/jpeg-js/jpeg-js/commit/9ccd35fb5f55a6c4f1902ac5b0f270f675750c27 Patch,Third Party Advisory
https://github.com/jpeg-js/jpeg-js/issues/105 Exploit,Issue Tracking,Third Party Advisory
https://github.com/jpeg-js/jpeg-js/pull/106/ Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2860295 Third Party Advisory
https://snyk.io/vuln/SNYK-JS-JPEGJS-2859218 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-25851, you might also want to check these: