CVE-2022-4111 — ToolJet is vulnerable to Denial of Service (DoS)

Description

ToolJet/ToolJet placed no limit on the file size for user avatars. This could cause a denial of service if too many users upload large files. This is fixed in commit 01cd3f0464747973ec329e9fb1ea12743d3235cc in version 1.27.0. `tooljet` is no longer listed on npmjs.com but was [listed on npmjs.com in the past](https://web.archive.org/web/20220210014826/https://www.npmjs.com/package/tooljet). This advisory is maintained for historical completeness.

How to fix CVE-2022-4111

To remediate CVE-2022-4111, upgrade the affected package to a fixed version below.

—upgrade to 1.27.0 or later

Is CVE-2022-4111 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.27.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-4111
PATCHgithub.com/ToolJet/ToolJet
WEBgithub.com/tooljet/tooljet/commit/01cd3f0464747973ec329e9fb1ea12743d3235cc
WEBgithub.com/ToolJet/ToolJet/pull/4103
WEB