VYPR
← All advisories
High severityNVD Advisory· Published Jan 31, 2023· Updated Mar 27, 2025

CVE-2022-25881

CVE-2022-25881

Description

This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A regular expression denial of service (ReDoS) in http-cache-semantics before 4.1.1 allows attackers to crash servers via crafted request headers.

Vulnerability

Overview

CVE-2022-25881 is a Regular Expression Denial of Service (ReDoS) vulnerability in the http-cache-semantics library, affecting versions prior to 4.1.1. The library parses HTTP headers to determine cacheability according to RFC 7234. The issue stems from a vulnerable regular expression that can be forced into catastrophic backtracking when processing specially crafted request header values [2][3][4].

Exploitation

An attacker can exploit this vulnerability by sending a malicious HTTP request with crafted header values to a server that uses the vulnerable library to parse cache policy from incoming requests. The attack does not require authentication and can be executed over the network, making it remotely exploitable. The malicious header triggers the ReDoS, causing the server to consume excessive CPU resources [3][4].

Impact

Successful exploitation leads to a denial of service condition. The server becomes unresponsive or slow due to CPU exhaustion, potentially affecting all users relying on the service. The impact is limited to availability; there is no risk of data breach or privilege escalation [2][3][4].

Mitigation

The vulnerability is fixed in version 4.1.1 of http-cache-semantics. Users should upgrade immediately. No workarounds are available if the library is used to process untrusted request headers. The package has been widely used in the Node.js ecosystem, and users of affected versions should update as soon as possible [1][2].

References
  1. GitHub - kornelski/http-cache-semantics: RFC 7234 in JavaScript. Parses HTTP headers to correctly compute cacheability of responses, even in complex cases
  2. NVD - CVE-2022-25881
  3. Snyk Vulnerability Database | Snyk
  4. Snyk Vulnerability Database | Snyk

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
http-cache-semanticsnpm
< 4.1.14.1.1
org.webjars.npm:http-cache-semanticsMaven
< 4.1.14.1.1

Affected products

67

Patches

1
560b2d8ef452

Don't use regex to trim whitespace

https://github.com/kornelski/http-cache-semanticsKornelJan 27, 2023via ghsa
commit
2 files changed · +4 4
  • index.js+3 3 modified
    @@ -80,10 +80,10 @@ function parseCacheControl(header) {
 
     // TODO: When there is more than one value present for a given directive (e.g., two Expires header fields, multiple Cache-Control: max-age directives),
     // the directive's value is considered invalid. Caches are encouraged to consider responses that have invalid freshness information to be stale
-    const parts = header.trim().split(/\s*,\s*/); // TODO: lame parsing
+    const parts = header.trim().split(/,/);
     for (const part of parts) {
-        const [k, v] = part.split(/\s*=\s*/, 2);
-        cc[k] = v === undefined ? true : v.replace(/^"|"$/g, ''); // TODO: lame unquoting
+        const [k, v] = part.split(/=/, 2);
+        cc[k.trim()] = v === undefined ? true : v.trim().replace(/^"|"$/g, '');
     }
 
     return cc;
  • package.json+1 1 modified
    @@ -1,6 +1,6 @@
 {
     "name": "http-cache-semantics",
-    "version": "4.1.0",
+    "version": "4.1.1",
     "description": "Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies",
     "repository": "https://github.com/kornelski/http-cache-semantics.git",
     "main": "index.js",

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.