VYPR
← All advisories
High severityNVD Advisory· Published Aug 4, 2022· Updated Aug 3, 2024

CVE-2022-35142

CVE-2022-35142

Description

An issue in Renato v0.17.0 allows attackers to cause a Denial of Service (DoS) via a crafted payload injected into the Search parameter.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ranetonpm
< 0.17.10.17.1

Affected products

1

Patches

Vulnerability mechanics

Root cause

"Insufficient input sanitization in the search route allows a crafted payload to crash the search handler, causing a Denial of Service."

Attack vector

An attacker sends a crafted HTTP GET request to the search endpoint with a malicious payload in the `search` query parameter. The original code only stripped `

Affected code

The vulnerability resides in the search route handler at `app/routes/search.route.js`. The original code used `_s.stripTags()` to remove `

What the fix does

The patch introduces a new `app/functions/sanitize.js` module that applies `validator.blacklist`, `validator.trim`, and `validator.escape` to the search query, removing dangerous characters (`&'"/>

Preconditions

  • networkThe attacker must be able to send HTTP requests to the Raneto search endpoint (typically /search?search=...).
  • authNo authentication is required; the search endpoint is publicly accessible.

Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

11

News mentions

0

No linked articles in our index yet.