Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00eDV2LWdtcTgtMjVjaM4AArVj
Regular expression denial of service in semver-regex
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method
Permalink: https://github.com/advisories/GHSA-4x5v-gmq8-25chJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00eDV2LWdtcTgtMjVjaM4AArVj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: almost 2 years ago
Updated: 10 months ago
Identifiers: GHSA-4x5v-gmq8-25ch, CVE-2021-43307
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-43307
- https://research.jfrog.com/vulnerabilities/semver-regex-redos-xray-211349/
- https://github.com/sindresorhus/semver-regex/commit/d8ba39a528c1027c43ab23f12eec28ca4d40dd0c
- https://github.com/advisories/GHSA-4x5v-gmq8-25ch
Blast Radius: 0.0
Affected Packages
npm:semver-regex
Dependent packages: 393Dependent repositories: 378,837
Downloads: 17,439,096 last month
Affected Version Ranges: >= 4.0.0, < 4.0.3, < 3.1.4
Fixed in: 4.0.3, 3.1.4
All affected versions: 0.1.0, 0.1.1, 1.0.0, 2.0.0, 3.0.0, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 4.0.0, 4.0.1, 4.0.2
All unaffected versions: 3.1.4, 4.0.3, 4.0.4, 4.0.5