7.5
CVE-2022-25883
- EPSS 2.76%
- Veröffentlicht 21.06.2023 05:15:09
- Zuletzt bearbeitet 23.09.2025 15:05:46
- Quelle report@snyk.io
- CVE-Watchlists
- Unerledigt
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 2.76% | 0.844 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
| report@snyk.io | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
|
CWE-1333 Inefficient Regular Expression Complexity
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104
https://github.com/npm/node-semver/blob/main/internal/re.js%23L138
https://github.com/npm/node-semver/blob/main/internal/re.js%23L160
https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441
https://github.com/npm/node-semver/pull/564
https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795
https://security.netapp.com/advisory/ntap-20241025-0004/