Detections
Analytics

CVE-2022-25883

high

Description

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

References

https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795

https://security.netapp.com/advisory/ntap-20241025-0004/

https://github.com/npm/node-semver/pull/564

https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441

https://github.com/npm/node-semver/blob/main/internal/re.js%23L160

https://github.com/npm/node-semver/blob/main/internal/re.js%23L138

https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104

Details

Source: Mitre, NVD

Published: 2023-06-21

Updated: 2024-12-06

Named Vulnerability: Regular Expression Denial of Service

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Severity: High

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: High

EPSS

EPSS: 0.00308