GHSA-c2qf-rxjj-qqgw
Suggest an improvement- Source
- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-c2qf-rxjj-qqgw/GHSA-c2qf-rxjj-qqgw.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-c2qf-rxjj-qqgw
- Aliases
- Related
- Published
- 2023-06-21T06:30:28Z
- Modified
- 2024-08-08T16:23:00Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- semver vulnerable to Regular Expression Denial of Service
- Details
-
Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2022-25883
- https://github.com/npm/node-semver/pull/564
- https://github.com/npm/node-semver/pull/585
- https://github.com/npm/node-semver/pull/593
- https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0
- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441
- https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c
- https://github.com/npm/node-semver
- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104
- https://github.com/npm/node-semver/blob/main/internal/re.js#L138
- https://github.com/npm/node-semver/blob/main/internal/re.js#L160
- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795
Affected packages
npm / semver
Package
- Name
- semver
- View open source insights on deps.dev
- Purl
- pkg:npm/semver
npm / semver
Package
- Name
- semver
- View open source insights on deps.dev
- Purl
- pkg:npm/semver
npm / semver
Package
- Name
- semver
- View open source insights on deps.dev
- Purl
- pkg:npm/semver