Safeguard
Vulnerabilities

Notable CVEs of 2022: A Practitioner's Roundup

CVE-2022-31160 and a run of recursion-based denial-of-service bugs made 2022 a year defined less by exotic exploits and more by parsers that never expected deeply nested input.

Safeguard Research Team
Research
5 min read

CVE-2022-31160 is a fitting entry point into a 2022 retrospective — a cross-site scripting flaw in jQuery UI's checkboxradio widget that shipped quietly in a UI library nearly every enterprise frontend already depended on, and that's a pattern that recurs across this list. 2022's most instructive CVEs weren't exotic zero-days; they were parsers and widgets that had never been tested against adversarial input, finally getting the scrutiny they should have had years earlier. Here's what practitioners should still recognize from that year.

What was the jQuery UI XSS about?

CVE-2022-31160 affected jQuery UI versions prior to 1.13.2 and lived in the checkboxradio widget's handling of label content. When a checkboxradio widget was initialized on an input nested inside a label element, jQuery UI treated the parent label's contents as the input's label text; if the application later called .checkboxradio("refresh"), previously encoded entities in that label content were decoded, and any attacker-controlled markup embedded there would execute as script in the victim's browser with full session context. It carried a moderate 6.1 CVSS score, but its real significance was reach — jQuery UI sits in an enormous number of legacy enterprise frontends, and the fix (wrapping non-input label content in a span) was a one-line change that a surprising number of applications still hadn't applied years after the patch shipped.

Why did so many 2022 CVEs come down to unbounded recursion?

This was the year's clearest pattern. CVE-2022-45688 hit hutool-json's XML.toJSONObject conversion logic (and the related org.json:json package before version 20230227): recursively processing nested XML elements without any maximum depth check meant a sufficiently nested payload would exhaust the JVM's stack and crash the application with a StackOverflowError, no authentication required. CVE-2022-40152 was structurally almost identical but in a different library — Woodstox's DTD parser recursively resolved nested entity definitions without a depth limit, so a crafted XML document with recursive DTD entities could trigger the same stack-overflow crash, scoring a 7.5 CVSS for the resulting denial of service. Three unrelated Java-ecosystem libraries hitting the same root cause in the same year is a reasonable signal that "does this parser cap recursion depth" deserved to be a standing checklist item well before 2022, not an afterthought.

What happened with the Python privilege escalation bug?

CVE-2022-42919 was a local privilege escalation affecting Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux, specific to the multiprocessing library's forkserver start method. The root cause combined two things: Linux abstract namespace sockets, which have no filesystem-level access control, and Python's pickle deserialization, which can execute arbitrary code when unpickling untrusted data. Because the forkserver implementation accepted and deserialized pickled data from these unauthenticated sockets, any local user on the same machine could potentially escalate privileges to whatever user was running the forkserver process — a 7.8 CVSS local privilege escalation that only affected the non-default forkserver configuration, but a clean illustration of how deserialization risk and weak socket access control can compound each other.

What was the libxml2/lxml NULL pointer issue?

CVE-2022-2309 affected libxml2 versions 2.9.10 through 2.9.14 when used together with the Python lxml binding, specifically through the iterwalk function (which the canonicalize function also relies on internally). Crafted input processed through iterwalk could trigger a NULL pointer dereference and crash the application. The practical exposure was narrower than the CVSS number alone implies, since iterwalk is less commonly used than the more efficient iterparse, but any C14N-style XML canonicalization workflow built on top of it was directly at risk, and the fix landed in lxml 4.9.1 alongside upstream libxml2 patches.

What ties these 2022 disclosures together?

Every one of these bugs — the jQuery UI widget, the two XML/JSON recursion crashes, the Python deserialization-over-sockets issue, and the libxml2 NULL pointer bug — sat in code that had been in production and battle-tested for years before someone finally threw adversarial input at it. None of them required a sophisticated exploit chain; they required someone to ask "what happens if this input is deeply nested, or malformed, or comes from an untrusted local process" and then actually test it. That's precisely the gap that fuzzing and dependency-aware SCA scanning are designed to close — catching known-vulnerable versions of exactly these libraries in a dependency tree before a security researcher (or an attacker) finds the same gap independently.

FAQ

What is CVE-2022-31160?

CVE-2022-31160 is a cross-site scripting vulnerability in jQuery UI's checkboxradio widget, affecting versions prior to 1.13.2, triggered when a refreshed widget decoded previously encoded label content containing attacker-controlled markup.

Were the 2022 recursion-based CVEs related to each other?

Not directly — CVE-2022-45688 (hutool-json/org.json) and CVE-2022-40152 (Woodstox) were separate libraries with the same underlying flaw: recursive parsing with no maximum depth limit, both resulting in stack-overflow denial of service.

Is CVE-2022-42919 exploitable remotely?

No — it's a local privilege escalation specific to Python's multiprocessing forkserver method on Linux, requiring local access to the same machine rather than a remote network attack path.

Does CVE-2022-2309 affect all libxml2 versions?

No — it specifically affects libxml2 2.9.10 through 2.9.14 when used with lxml's iterwalk or canonicalize functions; libxml2 2.9.9 and earlier are not affected.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.