CVE-2022-25883

Exploit

EPSS 0.32%
Published 21.06.2023 05:15:09
Last modified 23.09.2025 15:05:46
Source report@snyk.io
Teams watchlist Login
Open Login

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Affected products Warnungen 0 Metrics 3 CWE 1 References 10

Data is provided by the National Vulnerability Database (NVD)

Npmjs ≫ Semver SwPlatformnode.js Version < 5.7.2

Npmjs ≫ Semver SwPlatformnode.js Version >= 6.0.0 < 6.3.1

Npmjs ≫ Semver SwPlatformnode.js Version >= 7.0.0 < 7.5.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.32%	0.546

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
report@snyk.io	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104

Broken Link

https://github.com/npm/node-semver/blob/main/internal/re.js%23L138

Broken Link

https://github.com/npm/node-semver/blob/main/internal/re.js%23L160

Broken Link

https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441

Patch

Third Party Advisory

https://github.com/npm/node-semver/pull/564

Patch

Third Party Advisory