CVE-2022-25883 – semver

Package

Manager: npm
Name: semver
Vulnerable Version: >=7.0.0 <7.5.2 || >=6.0.0 <6.3.1 || >=0 <5.7.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00418 pctl0.60988

Details

semver vulnerable to Regular Expression Denial of Service Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Metadata

Created: 2023-06-21T06:30:28Z
Modified: 2024-12-06T20:34:31Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-c2qf-rxjj-qqgw/GHSA-c2qf-rxjj-qqgw.json
CWE IDs: ["CWE-1333"]
Alternative ID: GHSA-c2qf-rxjj-qqgw
Finding: F211
Auto approve: 1