GHSA-FHP4-PR5J-46M5
Vulnerability from github – Published: 2026-06-26 20:55 – Updated: 2026-06-26 20:55Summary
A NULL pointer dereference vulnerability exists in PDFParser::CreateFilterForStream() when processing a PDF stream with /Filter /LZWDecode and a /DecodeParms dictionary that does not contain the EarlyChange key. This causes an access violation (0xC0000005) and crashes the process.
Affected Version
muhammara <= 6.0.4 (latest)
Vulnerability Details
File: src/deps/PDFWriter/PDFParser.cpp line 2107
if (inDecodeParams)
{
PDFObjectCastPtr<PDFInteger> earlyObj(
QueryDictionaryObject(inDecodeParams, "EarlyChange")
);
early = earlyObj->GetValue(); // NULL dereference when EarlyChange key is absent
}
When inDecodeParams is non-NULL but lacks the EarlyChange key:
1. QueryDictionaryObject() returns NULL
2. PDFObjectCastPtr<PDFInteger>(NULL) wraps NULL
3. earlyObj->GetValue() dereferences NULL → crash
PoC
460-byte malicious PDF triggers crash via startReadingFromStream():
- PDF contains
/Filter /LZWDecodewith/DecodeParms << >>(empty, no EarlyChange) - Exit code:
0xC0000005(Access Violation)
Fix
if (earlyObj)
early = earlyObj->GetValue();
Impact
Any application accepting untrusted PDFs and using muhammara to read stream contents is vulnerable to DoS.
Similar to: CVE-2022-41957, CVE-2022-39381
PoC File
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.0.4"
},
"package": {
"ecosystem": "npm",
"name": "muhammara"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.0.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-26T20:55:18Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nA NULL pointer dereference vulnerability exists in `PDFParser::CreateFilterForStream()` when processing a PDF stream with `/Filter /LZWDecode` and a `/DecodeParms` dictionary that does not contain the `EarlyChange` key. This causes an access violation (0xC0000005) and crashes the process.\n\n## Affected Version\n\nmuhammara \u003c= 6.0.4 (latest)\n\n## Vulnerability Details\n\n**File:** `src/deps/PDFWriter/PDFParser.cpp` line 2107\n\n```cpp\nif (inDecodeParams)\n{\n PDFObjectCastPtr\u003cPDFInteger\u003e earlyObj(\n QueryDictionaryObject(inDecodeParams, \"EarlyChange\")\n );\n early = earlyObj-\u003eGetValue(); // NULL dereference when EarlyChange key is absent\n}\n```\n\nWhen `inDecodeParams` is non-NULL but lacks the `EarlyChange` key:\n1. `QueryDictionaryObject()` returns NULL\n2. `PDFObjectCastPtr\u003cPDFInteger\u003e(NULL)` wraps NULL\n3. `earlyObj-\u003eGetValue()` dereferences NULL \u2192 crash\n\n## PoC\n\n460-byte malicious PDF triggers crash via `startReadingFromStream()`:\n\n- PDF contains `/Filter /LZWDecode` with `/DecodeParms \u003c\u003c \u003e\u003e` (empty, no EarlyChange)\n- Exit code: `0xC0000005` (Access Violation)\n\n## Fix\n\n```cpp\nif (earlyObj)\n early = earlyObj-\u003eGetValue();\n```\n\n## Impact\n\nAny application accepting untrusted PDFs and using muhammara to read stream contents is vulnerable to DoS.\n\nSimilar to: CVE-2022-41957, CVE-2022-39381\n\n## PoC File\n[poc_muhammara_lzw_null.js](https://github.com/user-attachments/files/27186113/poc_muhammara_lzw_null.js)",
"id": "GHSA-fhp4-pr5j-46m5",
"modified": "2026-06-26T20:55:18Z",
"published": "2026-06-26T20:55:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/julianhille/MuhammaraJS/security/advisories/GHSA-fhp4-pr5j-46m5"
},
{
"type": "WEB",
"url": "https://github.com/julianhille/MuhammaraJS/commit/a98c07780241353334eb65bfca1df025f14be70b"
},
{
"type": "PACKAGE",
"url": "https://github.com/julianhille/MuhammaraJS"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Muhammara has a NULL pointer dereference in LZWDecode filter when DecodeParms omits EarlyChange key"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.