{"api_version":"1","generated_at":"2026-04-23T00:41:08+00:00","cve":"CVE-2022-43548","urls":{"html":"https://cve.report/CVE-2022-43548","api":"https://cve.report/api/cve/CVE-2022-43548.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-43548","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-43548"},"summary":{"title":"CVE-2022-43548","description":"A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.","state":"PUBLIC","assigner":"support@hackerone.com","published_at":"2022-12-05 22:15:00","updated_at":"2023-04-27 15:15:00"},"problem_types":["CWE-78"],"metrics":[],"references":[{"url":"https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/","name":"https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/","refsource":"MISC","tags":[],"title":"Nov 3 2022 Security Releases | Node.js","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20230427-0007/","name":"https://security.netapp.com/advisory/ntap-20230427-0007/","refsource":"CONFIRM","tags":[],"title":"April 2023 MySQL Server Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.debian.org/security/2023/dsa-5326","name":"DSA-5326","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-5326-1 nodejs","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20230120-0004/","name":"https://security.netapp.com/advisory/ntap-20230120-0004/","refsource":"CONFIRM","tags":[],"title":"CVE-2022-43548 Node.js Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2023/02/msg00038.html","name":"[debian-lts-announce] 20230226 [SECURITY] [DLA 3344-1] nodejs security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3344-1] nodejs security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-43548","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-43548","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"43548","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"43548","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"11.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"43548","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"43548","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"18.12.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"43548","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"19.0.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"43548","vulnerable":"1","versionEndIncluding":"14.14.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"43548","vulnerable":"1","versionEndIncluding":"16.12.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"43548","vulnerable":"1","versionEndIncluding":"18.11.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-43548","qid":"160347","title":"Oracle Enterprise Linux Security Update for nodejs:18 (ELSA-2022-8833)"},{"cve":"CVE-2022-43548","qid":"160348","title":"Oracle Enterprise Linux Security Update for 18 (ELSA-2022-8832)"},{"cve":"CVE-2022-43548","qid":"160361","title":"Oracle Enterprise Linux Security Update for nodejs:16 (ELSA-2022-9073-1)"},{"cve":"CVE-2022-43548","qid":"160373","title":"Oracle Enterprise Linux Security Update for nodejs:14 (ELSA-2023-0050)"},{"cve":"CVE-2022-43548","qid":"160410","title":"Oracle Enterprise Linux Security Update for nodejs and nodejs-nodemon (ELSA-2023-0321)"},{"cve":"CVE-2022-43548","qid":"181502","title":"Debian Security Update for nodejs (DSA 5326-1)"},{"cve":"CVE-2022-43548","qid":"181612","title":"Debian Security Update for nodejs (DLA 3344-1)"},{"cve":"CVE-2022-43548","qid":"182150","title":"Debian Security Update for nodejs (CVE-2022-43548)"},{"cve":"CVE-2022-43548","qid":"199926","title":"Ubuntu Security Notification for Node.js Vulnerabilities (USN-6491-1)"},{"cve":"CVE-2022-43548","qid":"240966","title":"Red Hat Update for nodejs:18 security (RHSA-2022:8832)"},{"cve":"CVE-2022-43548","qid":"240967","title":"Red Hat Update for nodejs:18 security (RHSA-2022:8833)"},{"cve":"CVE-2022-43548","qid":"241026","title":"Red Hat Update for nodejs:16 security (RHSA-2022:9073)"},{"cve":"CVE-2022-43548","qid":"241041","title":"Red Hat Update for nodejs:14 security (RHSA-2023:0050)"},{"cve":"CVE-2022-43548","qid":"241117","title":"Red Hat Update for nodejs and nodejs-nodemon security (RHSA-2023:0321)"},{"cve":"CVE-2022-43548","qid":"241160","title":"Red Hat Update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon (RHSA-2023:0612)"},{"cve":"CVE-2022-43548","qid":"241304","title":"Red Hat Update for nodejs:14 security (RHSA-2023:1533)"},{"cve":"CVE-2022-43548","qid":"241341","title":"Red Hat Update for nodejs:14 security (RHSA-2023:1742)"},{"cve":"CVE-2022-43548","qid":"296098","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 52.132.2 Missing (CPUOCT2022)"},{"cve":"CVE-2022-43548","qid":"355273","title":"Amazon Linux Security Advisory for nodejs : ALAS2023-2023-084"},{"cve":"CVE-2022-43548","qid":"377881","title":"Node.js Multiple Vulnerabilities (November 2022)"},{"cve":"CVE-2022-43548","qid":"378045","title":"Alibaba Cloud Linux Security Update for nodejs:14 (ALINUX3-SA-2023:0026)"},{"cve":"CVE-2022-43548","qid":"502747","title":"Alpine Linux Security Update for nodejs"},{"cve":"CVE-2022-43548","qid":"752843","title":"SUSE Enterprise Linux Security Update for nodejs16 (SUSE-SU-2022:4084-1)"},{"cve":"CVE-2022-43548","qid":"752846","title":"SUSE Enterprise Linux Security Update for nodejs14 (SUSE-SU-2022:4255-1)"},{"cve":"CVE-2022-43548","qid":"752920","title":"SUSE Enterprise Linux Security Update for nodejs16 (SUSE-SU-2022:4003-1)"},{"cve":"CVE-2022-43548","qid":"752929","title":"SUSE Enterprise Linux Security Update for nodejs12 (SUSE-SU-2022:4254-1)"},{"cve":"CVE-2022-43548","qid":"752966","title":"SUSE Enterprise Linux Security Update for nodejs10 (SUSE-SU-2022:4301-1)"},{"cve":"CVE-2022-43548","qid":"753698","title":"SUSE Enterprise Linux Security Update for nodejs18 (SUSE-SU-2023:0419-1)"},{"cve":"CVE-2022-43548","qid":"904628","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for nodejs (11579)"},{"cve":"CVE-2022-43548","qid":"904639","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for nodejs (11577)"},{"cve":"CVE-2022-43548","qid":"904716","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for nodejs (11577-1)"},{"cve":"CVE-2022-43548","qid":"904742","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for nodejs (11579-1)"},{"cve":"CVE-2022-43548","qid":"940854","title":"AlmaLinux Security Update for nodejs:18 (ALSA-2022:8832)"},{"cve":"CVE-2022-43548","qid":"940855","title":"AlmaLinux Security Update for nodejs:18 (ALSA-2022:8833)"},{"cve":"CVE-2022-43548","qid":"940856","title":"AlmaLinux Security Update for nodejs:18 (ALSA-2022:8833)"},{"cve":"CVE-2022-43548","qid":"940857","title":"AlmaLinux Security Update for nodejs:18 (ALSA-2022:8833)"},{"cve":"CVE-2022-43548","qid":"940859","title":"AlmaLinux Security Update for nodejs:16 (ALSA-2022:9073)"},{"cve":"CVE-2022-43548","qid":"940865","title":"AlmaLinux Security Update for nodejs:14 (ALSA-2023:0050)"},{"cve":"CVE-2022-43548","qid":"940906","title":"AlmaLinux Security Update for nodejs and nodejs-nodemon (ALSA-2023:0321)"},{"cve":"CVE-2022-43548","qid":"960517","title":"Rocky Linux Security Update for nodejs and nodejs-nodemon (RLSA-2023:0321)"},{"cve":"CVE-2022-43548","qid":"960640","title":"Rocky Linux Security Update for nodejs:18 (RLSA-2022:8832)"},{"cve":"CVE-2022-43548","qid":"960645","title":"Rocky Linux Security Update for nodejs:14 (RLSA-2023:0050)"},{"cve":"CVE-2022-43548","qid":"960646","title":"Rocky Linux Security Update for nodejs:18 (RLSA-2022:8833)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2022-43548","ASSIGNER":"support@hackerone.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"https://github.com/nodejs/node","version":{"version_data":[{"version_value":"Fixed in 19.0.1, 18.12.1, 16.18.1, 14.21.1"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"OS Command Injection (CWE-78)"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/","url":"https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20230120-0004/","url":"https://security.netapp.com/advisory/ntap-20230120-0004/"},{"refsource":"DEBIAN","name":"DSA-5326","url":"https://www.debian.org/security/2023/dsa-5326"},{"refsource":"MLIST","name":"[debian-lts-announce] 20230226 [SECURITY] [DLA 3344-1] nodejs security update","url":"https://lists.debian.org/debian-lts-announce/2023/02/msg00038.html"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20230427-0007/","url":"https://security.netapp.com/advisory/ntap-20230427-0007/"}]},"description":{"description_data":[{"lang":"eng","value":"A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix."}]}},"nvd":{"publishedDate":"2022-12-05 22:15:00","lastModifiedDate":"2023-04-27 15:15:00","problem_types":["CWE-78"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.9}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*","versionStartIncluding":"14.0.0","versionEndIncluding":"14.14.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*","versionStartIncluding":"16.0.0","versionEndIncluding":"16.12.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:19.0.0:*:*:*:-:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*","versionStartIncluding":"16.13.0","versionEndExcluding":"16.18.1","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*","versionStartIncluding":"14.15.0","versionEndExcluding":"14.21.1","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*","versionStartIncluding":"18.0.0","versionEndIncluding":"18.11.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:18.12.0:*:*:*:lts:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}