Search for vulnerabilities
Vulnerability details: VCID-map2-zntk-aaac
Vulnerability ID VCID-map2-zntk-aaac
Aliases CVE-2022-43548
Summary A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.
Status Published
Exploitability 0.5
Weighted Severity 7.3
Risk 3.6
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-350 Reliance on Reverse DNS Resolution for a Security-Critical Action
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-43548.json
epss 0.00264 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00264 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00264 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00264 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00264 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00264 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00390 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00390 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00390 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00390 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00535 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00648 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00648 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00718 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00718 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00718 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00718 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00718 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00718 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00718 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00718 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00718 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00718 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.00833 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
epss 0.02232 https://api.first.org/data/v1/epss?cve=CVE-2022-43548
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 8.1 https://lists.debian.org/debian-lts-announce/2023/02/msg00038.html
ssvc Track https://lists.debian.org/debian-lts-announce/2023/02/msg00038.html
cvssv3.1 8.1 https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/
ssvc Track https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/
cvssv3 8.1 https://nvd.nist.gov/vuln/detail/CVE-2022-43548
cvssv3.1 8.1 https://nvd.nist.gov/vuln/detail/CVE-2022-43548
cvssv3.1 8.1 https://security.netapp.com/advisory/ntap-20230120-0004/
ssvc Track https://security.netapp.com/advisory/ntap-20230120-0004/
cvssv3.1 8.1 https://security.netapp.com/advisory/ntap-20230427-0007/
ssvc Track https://security.netapp.com/advisory/ntap-20230427-0007/
cvssv3.1 8.1 https://www.debian.org/security/2023/dsa-5326
cvssv3.1 9.1 https://www.debian.org/security/2023/dsa-5326
generic_textual CRITICAL https://www.debian.org/security/2023/dsa-5326
ssvc Track https://www.debian.org/security/2023/dsa-5326
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-43548.json
https://api.first.org/data/v1/epss?cve=CVE-2022-43548
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32213
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32214
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32215
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35255
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://lists.debian.org/debian-lts-announce/2023/02/msg00038.html
https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/
https://security.netapp.com/advisory/ntap-20230120-0004/
https://security.netapp.com/advisory/ntap-20230427-0007/
https://www.debian.org/security/2023/dsa-5326
1023518 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023518
2140911 https://bugzilla.redhat.com/show_bug.cgi?id=2140911
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:18.12.0:*:*:*:lts:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:nodejs:node.js:18.12.0:*:*:*:lts:*:*:*
cpe:2.3:a:nodejs:node.js:19.0.0:*:*:*:-:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:nodejs:node.js:19.0.0:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
CVE-2022-43548 https://nvd.nist.gov/vuln/detail/CVE-2022-43548
GLSA-202405-29 https://security.gentoo.org/glsa/202405-29
RHSA-2022:8832 https://access.redhat.com/errata/RHSA-2022:8832
RHSA-2022:8833 https://access.redhat.com/errata/RHSA-2022:8833
RHSA-2022:9073 https://access.redhat.com/errata/RHSA-2022:9073
RHSA-2023:0050 https://access.redhat.com/errata/RHSA-2023:0050
RHSA-2023:0321 https://access.redhat.com/errata/RHSA-2023:0321
RHSA-2023:0612 https://access.redhat.com/errata/RHSA-2023:0612
RHSA-2023:1533 https://access.redhat.com/errata/RHSA-2023:1533
RHSA-2023:1742 https://access.redhat.com/errata/RHSA-2023:1742
USN-6491-1 https://usn.ubuntu.com/6491-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-43548.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://lists.debian.org/debian-lts-announce/2023/02/msg00038.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-24T14:03:01Z/ Found at https://lists.debian.org/debian-lts-announce/2023/02/msg00038.html
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-24T14:03:01Z/ Found at https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-43548
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-43548
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://security.netapp.com/advisory/ntap-20230120-0004/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-24T14:03:01Z/ Found at https://security.netapp.com/advisory/ntap-20230120-0004/
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://security.netapp.com/advisory/ntap-20230427-0007/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-24T14:03:01Z/ Found at https://security.netapp.com/advisory/ntap-20230427-0007/
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.debian.org/security/2023/dsa-5326
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://www.debian.org/security/2023/dsa-5326
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-24T14:03:01Z/ Found at https://www.debian.org/security/2023/dsa-5326
Exploit Prediction Scoring System (EPSS)
Percentile 0.49717
EPSS Score 0.00264
Published At May 1, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
There are no relevant records.