Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jMnFmLXJ4amotcXFnd84AAz95
semver vulnerable to Regular Expression Denial of Service
Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Permalink: https://github.com/advisories/GHSA-c2qf-rxjj-qqgwJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jMnFmLXJ4amotcXFnd84AAz95
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 11 months ago
Updated: 3 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Identifiers: GHSA-c2qf-rxjj-qqgw, CVE-2022-25883
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-25883
- https://github.com/npm/node-semver/pull/564
- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441
- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795
- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104
- https://github.com/npm/node-semver/blob/main/internal/re.js#L138
- https://github.com/npm/node-semver/blob/main/internal/re.js#L160
- https://github.com/npm/node-semver/pull/585
- https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c
- https://github.com/npm/node-semver/pull/593
- https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0
- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
Blast Radius: 32.4
Affected Packages
npm:semver
Dependent packages: 43,561Dependent repositories: 1,325,167
Downloads: 1,236,070,539 last month
Affected Version Ranges: >= 7.0.0, < 7.5.2, < 5.7.2, >= 6.0.0, < 6.3.1
Fixed in: 7.5.2, 5.7.2, 6.3.1
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.0.14, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.3.1, 2.3.2, 3.0.0, 3.0.1, 4.0.0, 4.0.2, 4.0.3, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.1.0, 5.1.1, 5.2.0, 5.3.0, 5.4.0, 5.4.1, 5.5.0, 5.5.1, 5.6.0, 5.7.0, 5.7.1, 6.0.0, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.2.0, 6.3.0, 7.0.0, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.4.0, 7.5.0, 7.5.1
All unaffected versions: 5.7.2, 6.3.1, 7.5.2, 7.5.3, 7.5.4, 7.6.0, 7.6.1, 7.6.2