CVE-2022-25940: lite-server vulnerable to Denial of Service

December 20, 2022 (updated April 16, 2025)

All versions of package lite-server are vulnerable to Denial of Service (DoS) when an attacker sends an HTTP request and includes control characters that the decodeURI() function is unable to parse.

References

gist.github.com/lirantal/832382155e00da92bfd8bb3adea474eb
github.com/advisories/GHSA-89w7-5q45-r53w
github.com/johnpapa/lite-server
nvd.nist.gov/vuln/detail/CVE-2022-25940
security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3175617
security.snyk.io/vuln/SNYK-JS-LITESERVER-3153540

Code Behaviors & Features

Detect and mitigate CVE-2022-25940 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →