CVE-2022-25883
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
21/06/2023
Last modified:
06/12/2024
Description
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.<br />
<br />
<br />
Impact
Base Score 3.x
5.30
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:npmjs:semver:*:*:*:*:*:node.js:*:* | 5.7.2 (excluding) | |
| cpe:2.3:a:npmjs:semver:*:*:*:*:*:node.js:*:* | 6.0.0 (including) | 6.3.1 (excluding) |
| cpe:2.3:a:npmjs:semver:*:*:*:*:*:node.js:*:* | 7.0.0 (including) | 7.5.2 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104
- https://github.com/npm/node-semver/blob/main/internal/re.js%23L138
- https://github.com/npm/node-semver/blob/main/internal/re.js%23L160
- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441
- https://github.com/npm/node-semver/pull/564
- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795
- https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104
- https://github.com/npm/node-semver/blob/main/internal/re.js%23L138
- https://github.com/npm/node-semver/blob/main/internal/re.js%23L160
- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441
- https://github.com/npm/node-semver/pull/564
- https://security.netapp.com/advisory/ntap-20241025-0004/
- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795