CVE-2022-25883

Exploit

EPSS 0.32%
Veröffentlicht 21.06.2023 05:15:09
Zuletzt bearbeitet 23.09.2025 15:05:46
Quelle report@snyk.io
Teams Watchlist Login
Unerledigt Login

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 10

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Npmjs ≫ Semver SwPlatformnode.js Version < 5.7.2

Npmjs ≫ Semver SwPlatformnode.js Version >= 6.0.0 < 6.3.1

Npmjs ≫ Semver SwPlatformnode.js Version >= 7.0.0 < 7.5.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.32%	0.546

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
report@snyk.io	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104

Broken Link

https://github.com/npm/node-semver/blob/main/internal/re.js%23L138

Broken Link

https://github.com/npm/node-semver/blob/main/internal/re.js%23L160

Broken Link

https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441

Patch

Third Party Advisory

https://github.com/npm/node-semver/pull/564

Patch

Third Party Advisory