7.5

CVE-2022-25883

Medienbericht
Exploit
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.


Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NpmjsSemver SwPlatformnode.js Version < 5.7.2
NpmjsSemver SwPlatformnode.js Version >= 6.0.0 < 6.3.1
NpmjsSemver SwPlatformnode.js Version >= 7.0.0 < 7.5.3
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.76% 0.844
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
report@snyk.io 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
20.02.2026 10:25
https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104
Broken Link
https://github.com/npm/node-semver/blob/main/internal/re.js%23L138
Broken Link
https://github.com/npm/node-semver/blob/main/internal/re.js%23L160
Broken Link
https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441
Patch
Third Party Advisory
https://github.com/npm/node-semver/pull/564
Patch
Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795
Patch
Third Party Advisory
Exploit
https://security.netapp.com/advisory/ntap-20241025-0004/
Third Party Advisory