Login Sign Up

CVE-2022-28366

7.5 HIGH
Denial of Service

📋 TL;DR

This CVE describes a denial-of-service vulnerability in Neko-based HTML parsers where crafted Processing Instruction (PI) input causes excessive heap memory consumption. It affects HtmlUnit-Neko up to version 2.26 and CyberNeko HTML up to version 1.9.22, which also impacts OWASP AntiSamy before version 1.6.6. Attackers can exploit this to crash affected applications by exhausting memory resources.

💻 Affected Systems

Products:
  • HtmlUnit-Neko
  • CyberNeko HTML
  • OWASP AntiSamy
Versions: HtmlUnit-Neko through 2.26, CyberNeko HTML through 1.9.22, OWASP AntiSamy before 1.6.6
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: CyberNeko HTML 1.9.22 is the final version, so users must migrate to alternatives or apply workarounds.

📦 What is this software?

Antisamy by Antisamy Project

View all CVEs affecting Antisamy →

Cyberneko Html by Cyberneko Html Project

View all CVEs affecting Cyberneko Html →

Htmlunit by Htmlunit

View all CVEs affecting Htmlunit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to memory exhaustion leading to application crashes and potential system instability.

🟠

Likely Case

Denial of service affecting web applications using vulnerable parsers, causing temporary unavailability until services restart.

🟢

If Mitigated

Minimal impact with proper memory limits and monitoring in place, though service degradation may still occur.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending crafted HTML with malicious Processing Instructions to vulnerable parsers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: HtmlUnit-Neko 2.27, OWASP AntiSamy 1.6.6

Vendor Advisory: https://sourceforge.net/projects/htmlunit/files/htmlunit/2.27/

Restart Required: Yes

Instructions:

1. Identify affected applications using vulnerable parsers. 2. Update HtmlUnit-Neko to version 2.27 or later. 3. Update OWASP AntiSamy to version 1.6.6 or later. 4. Restart applications to apply changes.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation to reject or sanitize HTML containing Processing Instructions before parsing.

Memory Limit Configuration

all

Configure application memory limits and monitoring to detect and mitigate memory exhaustion attempts.

🧯 If You Can't Patch

  • Implement web application firewalls (WAF) to block malicious HTML payloads.
  • Isolate affected systems from untrusted networks and implement strict access controls.

🔍 How to Verify

Check if Vulnerable:

Check application dependencies for HtmlUnit-Neko versions ≤2.26 or CyberNeko HTML versions ≤1.9.22.

Check Version:

Check build configuration files (e.g., pom.xml, build.gradle) for dependency versions.

Verify Fix Applied:

Verify that HtmlUnit-Neko is updated to ≥2.27 and OWASP AntiSamy to ≥1.6.6 in dependency files.

📡 Detection & Monitoring

Log Indicators:

  • Unusual memory consumption spikes
  • Application crashes or restarts
  • Errors related to HTML parsing failures

Network Indicators:

  • Incoming HTTP requests with large or malformed HTML content
  • Patterns of repeated requests to endpoints using HTML parsers

SIEM Query:

Search for logs containing 'OutOfMemoryError', 'heap exhaustion', or similar memory-related errors in application logs.

📊 Metadata

CVE ID: CVE-2022-28366
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Published: April 21, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON