CVE-2022-38900
Description
decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
decode-uri-component 0.2.0 has an improper input validation flaw that leads to denial of service via specially crafted URIs.
Vulnerability
Analysis
decode-uri-component version 0.2.0 contains an improper input validation vulnerability that can result in a denial of service (DoS) condition. The root cause lies in the decode function's handling of malformed percent-encoded sequences. When the function encounters a string that causes decodeURIComponent() to throw, it falls back to a manual parsing loop. In this loop, the input.match(singleMatcher) call could return null for certain malformed inputs, and the code attempted to iterate over tokens without checking for null, leading to a crash or hang. The fix, implemented in commit 746ca5d, adds || [] fallback for both tokens assignments, preventing the null reference.[1][3]
Exploitation
An attacker can trigger this vulnerability by providing a specially crafted URI containing malformed percent-encoding sequences. No authentication or special network position is required; the attack can be performed by any user or system that passes untrusted input to the affected decode function. For example, a token like %ea%ba%5a%ba was used in testing to demonstrate the issue, though the commit note indicates the fix may change behavior for such inputs to prevent the DoS.[3]
Impact
Successful exploitation causes the application to crash or become unresponsive, resulting in a denial of service. This can affect Node.js applications and any software using this library for URI decoding. The vulnerability does not lead to code execution, but the DoS can disrupt service availability.[1]
Mitigation
The vulnerability is patched in decode-uri-component version 0.2.1. Users should upgrade to this version or later. No known workarounds exist other than updating the library. The fix was released on the same day the CVE was published, and Fedora package announcements indicate distributions have been notified.[2][3][4]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
decode-uri-componentnpm | < 0.2.1 | 0.2.1 |
Affected products
11- decode-uri-component/decode-uri-componentdescription
- ghsa-coords10 versionspkg:npm/decode-uri-componentpkg:rpm/almalinux/nodejspkg:rpm/almalinux/nodejs-develpkg:rpm/almalinux/nodejs-docspkg:rpm/almalinux/nodejs-full-i18npkg:rpm/almalinux/nodejs-nodemonpkg:rpm/almalinux/nodejs-packagingpkg:rpm/almalinux/npmpkg:rpm/almalinux/pcspkg:rpm/almalinux/pcs-snmp
< 0.2.1+ 9 more
- (no CPE)range: < 0.2.1
- (no CPE)range: < 1:14.21.3-1.module_el8.7.0+3551+53700ee8
- (no CPE)range: < 1:14.21.3-1.module_el8.7.0+3551+53700ee8
- (no CPE)range: < 1:14.21.3-1.module_el8.7.0+3551+53700ee8
- (no CPE)range: < 1:14.21.3-1.module_el8.7.0+3551+53700ee8
- (no CPE)range: < 2.0.20-3.module_el8.7.0+3551+53700ee8
- (no CPE)range: < 23-3.module_el8.4.0+2522+3bd42762
- (no CPE)range: < 1:6.14.18-1.14.21.3.1.module_el8.7.0+3551+53700ee8
- (no CPE)range: < 0.11.6-3.el9
- (no CPE)range: < 0.11.6-3.el9
Patches
1746ca5dcb666Fix issue where decode throws - fixes #6
2 files changed · +7 −4
index.js+3 −3 modified@@ -6,7 +6,7 @@ var multiMatcher = new RegExp('(' + token + ')+', 'gi'); function decodeComponents(components, split) { try { // Try to decode the entire string first - return decodeURIComponent(components.join('')); + return [decodeURIComponent(components.join(''))]; } catch (err) { // Do nothing } @@ -28,12 +28,12 @@ function decode(input) { try { return decodeURIComponent(input); } catch (err) { - var tokens = input.match(singleMatcher); + var tokens = input.match(singleMatcher) || []; for (var i = 1; i < tokens.length; i++) { input = decodeComponents(tokens, i).join(''); - tokens = input.match(singleMatcher); + tokens = input.match(singleMatcher) || []; } return input;
test.js+4 −1 modified@@ -32,7 +32,10 @@ const tests = { '%C2x': '\uFFFDx', '%C2%B5': 'µ', '%C2%B5%': 'µ%', - '%%C2%B5%': '%µ%' + '%%C2%B5%': '%µ%', + + // This should actually return `%ea%baZ%ba`, but fixes a DOS attack for now + '%ea%ba%5a%ba': '꺺' }; function macro(t, input, expected) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
16- github.com/advisories/GHSA-w573-4hg7-7wgqghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2022-38900ghsaADVISORY
- github.com/SamVerschueren/decode-uri-component/commit/746ca5dcb6667c5d364e782d53c542830e4c10b9ghsaWEB
- github.com/SamVerschueren/decode-uri-component/issues/5ghsaWEB
- github.com/SamVerschueren/decode-uri-component/releases/tag/v0.2.1ghsaWEB
- github.com/sindresorhus/query-string/issues/345ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SMghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32DghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSUghsaWEB
News mentions
0No linked articles in our index yet.