Heap Use-After-Free Vulnerability in NGINX's njs Up to 0.7.0
CVE-2022-25139

9.8CRITICAL

Key Information:

Vendor

F5
Status
Njs
Vendor
CVE Published:
14 February 2022

What is CVE-2022-25139?

A vulnerability in njs, utilized within NGINX, was identified as a heap use-after-free issue in the njs_await_fulfilled function. This flaw can trigger unintended behavior in applications relying on this scripting library, potentially leading to security risks such as code execution or application crashes. It is essential for users to review and update their installations of njs to maintain secure and stable operations.

References

https://github.com/nginx/njs/issues/451
x_refsource_MISC
https://github.com/nginx/njs/commit/6a07c2156a07ef307b6dc...
x_refsource_MISC
https://security.netapp.com/advisory/ntap-20220303-0007/
x_refsource_CONFIRM

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2022-25139 : Heap Use-After-Free Vulnerability in NGINX's njs Up to 0.7.0