Fluid Attacks Database

Description

semver vulnerable to Regular Expression Denial of Service Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	semver	>=7.0.0 <7.5.2 \|\| >=6.0.0 <6.3.1 \|\| >=2.0.0-alpha <5.7.2	7.5.2, 6.3.1, 5.7.2
debian 11	node-semver	=7.3.4-1 \|\| =7.3.5+~7.3.8-1 \|\| =7.3.5+~7.3.9-1 \|\| =7.3.5+~7.3.9-2 \|\| =7.5.4+~7.5.0-1 \|\| =7.5.4+~7.5.0-2 \|\| =7.6.1+~7.5.8-1 \|\| =7.6.1+~7.5.8-2 \|\| =7.7.4+~7.7.1-1 \|\| =7.7.4+~cs9.7.4-1	-
debian 12	node-semver	=7.3.5+~7.3.9-2 \|\| =7.5.4+~7.5.0-1 \|\| =7.5.4+~7.5.0-2 \|\| =7.6.1+~7.5.8-1 \|\| =7.6.1+~7.5.8-2 \|\| =7.7.4+~7.7.1-1 \|\| =7.7.4+~cs9.7.4-1	-
debian 13	node-semver	>=0 <7.5.4+~7.5.0-1	7.5.4+~7.5.0-1
debian 14	node-semver	>=0 <7.5.4+~7.5.0-1	7.5.4+~7.5.0-1
rpm rhel6	firefox	-	-
rpm rhel7	firefox	-	-
rpm rhel8	nodejs	<1:16.20.2-2.module+el8.8.0+19898+ab99ba34	1:16.20.2-2.module+el8.8.0+19898+ab99ba34
rpm rhel8.6	nodejs	<1:16.20.2-2.module+el8.6.0+19897+9590a839	1:16.20.2-2.module+el8.6.0+19897+9590a839
rpm rhel9	nodejs	-	-

1-10 of 11

Aliases

1. CVE-2022-258832. NVD-2022-258833. OSV-2022-258834. OSV-DEBIAN-2022-258835. GCVE-2022-258836. SECURITY-TRACKER-CVE-2022-25883

References