CVE-2022-29617

Vulnerability

An improper error handling vulnerability in CLA assistant (versions prior to v2.13.0) allows an authenticated user to trigger an unhandled promise rejection, causing the Node.js process to exit and crash the application instance [1]. The issue arises from insufficient handling of errors in asynchronous operations.

Exploitation

An attacker with valid authentication credentials can send a crafted request that results in an unhandled promise rejection. No special network position or additional privileges are required beyond standard user access. The request causes the Node.js runtime to exit, crashing the CLA assistant instance [1].

Impact

Successful exploitation leads to a denial of service (availability impact). The CLA assistant instance becomes unavailable until manually restarted. For the hosted offering on cla-assistant.io, automatic restart on error mitigates prolonged downtime, but the crash still temporarily disrupts service [1].

Mitigation

The vulnerability is fixed in CLA assistant version v2.13.0 [1]. Users unable to upgrade can apply a workaround by starting Node.js with the --unhandled-rejections=warn CLI option or setting the environment variable NODE_OPTIONS="--unhandled-rejections=warn" to prevent the process from exiting on unhandled rejections [1]. The hosted offering on cla-assistant.io was not impacted due to its automatic restart mechanism.