CVE-2022-25883

Medienbericht

Exploit

EPSS 0.6%
Veröffentlicht 21.06.2023 05:15:09
Zuletzt bearbeitet 23.09.2025 15:05:46
Quelle report@snyk.io
CVE-Watchlists
Login
Unerledigt
Login

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 11

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Npmjs ≫ Semver SwPlatformnode.js Version < 5.7.2

Npmjs ≫ Semver SwPlatformnode.js Version >= 6.0.0 < 6.3.1

Npmjs ≫ Semver SwPlatformnode.js Version >= 7.0.0 < 7.5.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.6%	0.692

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
report@snyk.io	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

https://www.heise.de/news/Atlassian-Sicherheitsupdates-Bamboo-und-Confluence-sind-verwundbar-11183534.html

Medienbericht

heise Security

20.02.2026 10:25

https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104

Broken Link

https://github.com/npm/node-semver/blob/main/internal/re.js%23L138

Broken Link

https://github.com/npm/node-semver/blob/main/internal/re.js%23L160

Broken Link

https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441

Patch