CVE-2022-24822 (GCVE-0-2022-24822)

Vulnerability from cvelistv5 – Published: 2022-04-06 17:15 – Updated: 2025-04-23 18:41
VLAI
Title
Denial of Service in @podium/layout and @podium/proxy
Summary
Podium is a library for building micro frontends. @podium/layout is a module for building a Podium layout server, and @podium/proxy is a module for proxying HTTP requests from a layout server to a podlet server. In @podium/layout prior to version 4.6.110 and @podium/proxy prior to version 4.2.74, an attacker using the `Trailer` header as part of the request against proxy endpoints has the ability to take down the server. All Podium layouts that include podlets with proxy endpoints are affected. `@podium/layout`, which is the main way developers/users are vulnerable to this exploit, has been patched in version `4.6.110`. All earlier versions are vulnerable.`@podium/proxy`, which is the source of the vulnerability and is used by `@podium/layout` has been patched in version `4.2.74`. All earlier versions are vulnerable. It is not easily possible to work around this issue without upgrading.
Severity
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE
Assigner
References
Impacted products
Vendor Product Version
podium-lib proxy Affected: < 4.6.110
Affected: < 4.2.74
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T04:20:50.532Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/podium-lib/proxy/security/advisories/GHSA-3hjg-vc7r-rcrw"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/podium-lib/layout/commit/fe43e655432b0a5f07b6475f67babcc2588fb039"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/podium-lib/proxy/commit/9698a40df081217ce142d4de71f929baaa339cdf"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/podium-lib/layout/releases/tag/v4.6.110"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/podium-lib/proxy/releases/tag/v4.2.74"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-24822",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T15:55:56.946530Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T18:41:18.934Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "proxy",
          "vendor": "podium-lib",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.6.110"
            },
            {
              "status": "affected",
              "version": "\u003c 4.2.74"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Podium is a library for building micro frontends. @podium/layout is a module for building a Podium layout server, and @podium/proxy is a module for proxying HTTP requests from a layout server to a podlet server. In @podium/layout prior to version 4.6.110 and @podium/proxy prior to version 4.2.74, an attacker using the `Trailer` header as part of the request against proxy endpoints has the ability to take down the server. All Podium layouts that include podlets with proxy endpoints are affected. `@podium/layout`, which is the main way developers/users are vulnerable to this exploit, has been patched in version `4.6.110`. All earlier versions are vulnerable.`@podium/proxy`, which is the source of the vulnerability and is used by `@podium/layout` has been patched in version `4.2.74`. All earlier versions are vulnerable. It is not easily possible to work around this issue without upgrading."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-248",
              "description": "CWE-248: Uncaught Exception",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-04-06T17:15:16.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/podium-lib/proxy/security/advisories/GHSA-3hjg-vc7r-rcrw"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/podium-lib/layout/commit/fe43e655432b0a5f07b6475f67babcc2588fb039"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/podium-lib/proxy/commit/9698a40df081217ce142d4de71f929baaa339cdf"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/podium-lib/layout/releases/tag/v4.6.110"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/podium-lib/proxy/releases/tag/v4.2.74"
        }
      ],
      "source": {
        "advisory": "GHSA-3hjg-vc7r-rcrw",
        "discovery": "UNKNOWN"
      },
      "title": "Denial of Service in @podium/layout and @podium/proxy",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-24822",
          "STATE": "PUBLIC",
          "TITLE": "Denial of Service in @podium/layout and @podium/proxy"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "proxy",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 4.6.110"
                          },
                          {
                            "version_value": "\u003c 4.2.74"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "podium-lib"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Podium is a library for building micro frontends. @podium/layout is a module for building a Podium layout server, and @podium/proxy is a module for proxying HTTP requests from a layout server to a podlet server. In @podium/layout prior to version 4.6.110 and @podium/proxy prior to version 4.2.74, an attacker using the `Trailer` header as part of the request against proxy endpoints has the ability to take down the server. All Podium layouts that include podlets with proxy endpoints are affected. `@podium/layout`, which is the main way developers/users are vulnerable to this exploit, has been patched in version `4.6.110`. All earlier versions are vulnerable.`@podium/proxy`, which is the source of the vulnerability and is used by `@podium/layout` has been patched in version `4.2.74`. All earlier versions are vulnerable. It is not easily possible to work around this issue without upgrading."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-248: Uncaught Exception"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/podium-lib/proxy/security/advisories/GHSA-3hjg-vc7r-rcrw",
              "refsource": "CONFIRM",
              "url": "https://github.com/podium-lib/proxy/security/advisories/GHSA-3hjg-vc7r-rcrw"
            },
            {
              "name": "https://github.com/podium-lib/layout/commit/fe43e655432b0a5f07b6475f67babcc2588fb039",
              "refsource": "MISC",
              "url": "https://github.com/podium-lib/layout/commit/fe43e655432b0a5f07b6475f67babcc2588fb039"
            },
            {
              "name": "https://github.com/podium-lib/proxy/commit/9698a40df081217ce142d4de71f929baaa339cdf",
              "refsource": "MISC",
              "url": "https://github.com/podium-lib/proxy/commit/9698a40df081217ce142d4de71f929baaa339cdf"
            },
            {
              "name": "https://github.com/podium-lib/layout/releases/tag/v4.6.110",
              "refsource": "MISC",
              "url": "https://github.com/podium-lib/layout/releases/tag/v4.6.110"
            },
            {
              "name": "https://github.com/podium-lib/proxy/releases/tag/v4.2.74",
              "refsource": "MISC",
              "url": "https://github.com/podium-lib/proxy/releases/tag/v4.2.74"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-3hjg-vc7r-rcrw",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-24822",
    "datePublished": "2022-04-06T17:15:16.000Z",
    "dateReserved": "2022-02-10T00:00:00.000Z",
    "dateUpdated": "2025-04-23T18:41:18.934Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2022-24822",
      "date": "2026-05-25",
      "epss": "0.00834",
      "percentile": "0.74838"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-24822\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-04-06T18:15:08.973\",\"lastModified\":\"2024-11-21T06:51:10.490\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Podium is a library for building micro frontends. @podium/layout is a module for building a Podium layout server, and @podium/proxy is a module for proxying HTTP requests from a layout server to a podlet server. In @podium/layout prior to version 4.6.110 and @podium/proxy prior to version 4.2.74, an attacker using the `Trailer` header as part of the request against proxy endpoints has the ability to take down the server. All Podium layouts that include podlets with proxy endpoints are affected. `@podium/layout`, which is the main way developers/users are vulnerable to this exploit, has been patched in version `4.6.110`. All earlier versions are vulnerable.`@podium/proxy`, which is the source of the vulnerability and is used by `@podium/layout` has been patched in version `4.2.74`. All earlier versions are vulnerable. It is not easily possible to work around this issue without upgrading.\"},{\"lang\":\"es\",\"value\":\"Podium es una biblioteca para construir micro frontends. @podium/layout es un m\u00f3dulo para construir un servidor de layout de Podium, y @podium/proxy es un m\u00f3dulo para proxyar peticiones HTTP desde un servidor de layout a un servidor de podlets. En @podium/layout anterior a la versi\u00f3n 4.6.110 y en @podium/proxy anterior a la versi\u00f3n 4.2.74, un atacante usando el encabezado \\\"Trailer\\\" como parte de la petici\u00f3n contra los extremos del proxy presenta la capacidad de derribar el servidor. Todos los layouts de Podium que incluyen podlets con endpoints proxy est\u00e1n afectados. La versi\u00f3n \\\"@podium/layout\\\", que es la principal forma en que desarrolladores/usuarios son vulnerables a esta explotaci\u00f3n, ha sido parcheada en versi\u00f3n \\\"4.6.110\\\". Todas las versiones anteriores son vulnerables.\\\"@podium/proxy\\\", que es el origen de la vulnerabilidad y es usado por \\\"@podium/layout\\\" ha sido parcheado en versi\u00f3n \\\"4.2.74\\\". Todas las versiones anteriores son vulnerables. No es posible mitigar este problema sin actualizar\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-248\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:finn:podium_layout:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"4.6.110\",\"matchCriteriaId\":\"2C033C0E-39B4-4821-9133-CC54081088FE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:finn:podium_proxy:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"4.2.74\",\"matchCriteriaId\":\"B712E9BF-F74C-4587-BEBD-97993FF40D72\"}]}]}],\"references\":[{\"url\":\"https://github.com/podium-lib/layout/commit/fe43e655432b0a5f07b6475f67babcc2588fb039\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/podium-lib/layout/releases/tag/v4.6.110\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/podium-lib/proxy/commit/9698a40df081217ce142d4de71f929baaa339cdf\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/podium-lib/proxy/releases/tag/v4.2.74\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/podium-lib/proxy/security/advisories/GHSA-3hjg-vc7r-rcrw\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/podium-lib/layout/commit/fe43e655432b0a5f07b6475f67babcc2588fb039\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/podium-lib/layout/releases/tag/v4.6.110\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/podium-lib/proxy/commit/9698a40df081217ce142d4de71f929baaa339cdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/podium-lib/proxy/releases/tag/v4.2.74\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/podium-lib/proxy/security/advisories/GHSA-3hjg-vc7r-rcrw\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.