CVE-2022-28366

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-28366
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-28366.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-28366
Aliases
Downstream
Related
Published
2022-04-21T23:15:10Z
Modified
2025-10-31T18:58:50.955280Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839.

References

Affected packages

Git / github.com/htmlunit/htmlunit

Affected ranges

Type
GIT
Repo
https://github.com/htmlunit/htmlunit
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
7421f043d18741c4e36bf7c0ce8b471122dbf18a

Git / github.com/nahsra/antisamy

Affected ranges

Type
GIT
Repo
https://github.com/nahsra/antisamy
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
99b1143bd2219c7645a8d68ca856a51e67f7bbfa

Affected versions

1.*

1.6.3

v1.*

v1.5.10
v1.5.11
v1.5.12
v1.5.13
v1.5.7
v1.5.8
v1.5.9
v1.6.0
v1.6.1
v1.6.2
v1.6.4
v1.6.5