CVE-2022-25883
CVE-2022-25883
In short
The semver package before version 7.5.2 has a flaw where it can be made to hang or crash when processing certain malformed version range strings. An attacker can exploit this by sending specially crafted input to cause a denial of service.
Technical detail
A ReDoS vulnerability exists in the Range constructor of semver <7.5.2, exploitable via untrusted range input strings that trigger excessive backtracking in regular expression evaluation. The vulnerability requires application code to process attacker-controlled range parameters, resulting in CPU exhaustion and service unavailability.
Summary generated and translated by AI from the official description.
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P
Affected products
n/a · semverWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104https://github.com/npm/node-semver/blob/main/internal/re.js%23L138https://github.com/npm/node-semver/blob/main/internal/re.js%23L160https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441https://github.com/npm/node-semver/pull/564https://security.netapp.com/advisory/ntap-20241025-0004/https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795