Login Sign Up

CVE-2022-25906

7.4 HIGH
Remote Code Execution

📋 TL;DR

CVE-2022-25906 is a command injection vulnerability in the is-http2 npm package that allows attackers to execute arbitrary commands on affected systems. The vulnerability exists due to insufficient input sanitization in the isH2 function. Any application using this package is potentially vulnerable.

💻 Affected Systems

Products:
  • is-http2 npm package
Versions: All versions
Operating Systems: All platforms running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Any Node.js application that imports and uses the vulnerable is-http2 package is affected regardless of configuration.

📦 What is this software?

Is Http2 by Is Http2 Project

View all CVEs affecting Is Http2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing remote code execution, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Limited command execution within the application context, potentially leading to data leakage or service disruption.

🟢

If Mitigated

Minimal impact if proper input validation and sandboxing are implemented at the application layer.

🌐 Internet-Facing: HIGH - Applications exposed to the internet can be directly targeted by attackers.
🏢 Internal Only: MEDIUM - Internal applications could be exploited through authenticated attacks or lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is straightforward to exploit with publicly available proof-of-concept code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 1.1.0 and above

Vendor Advisory: https://github.com/stefanjudis/is-http2/security/advisories/GHSA-5q8q-4x2c-h6q9

Restart Required: Yes

Instructions:

1. Update package.json to require is-http2 version 1.1.0 or higher. 2. Run 'npm update is-http2' or 'yarn upgrade is-http2'. 3. Restart the Node.js application.

🔧 Temporary Workarounds

Input Validation Wrapper

all

Implement strict input validation before passing data to isH2 function

// Example: Validate input is a string and sanitize before use
const sanitizedInput = String(input).replace(/[^a-zA-Z0-9.:\/\-]/g, '');

🧯 If You Can't Patch

  • Remove or disable the is-http2 package from the application
  • Implement network segmentation to isolate affected applications

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list is-http2' to see if version is below 1.1.0

Check Version:

npm list is-http2 | grep is-http2

Verify Fix Applied:

Verify is-http2 version is 1.1.0 or higher using 'npm list is-http2'

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution patterns in application logs
  • Error messages related to isH2 function failures

Network Indicators:

  • Unexpected outbound connections from Node.js processes
  • Suspicious HTTP/2 protocol manipulation attempts

SIEM Query:

process.name:node AND cmdline:*is-http2* AND (event.action:process_start OR event.action:network_connection)

📊 Metadata

CVE ID: CVE-2022-25906
CVSS v3 Score: 7.4 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: February 1, 2023
Last Updated: March 26, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-25906, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)