CVE-2022-25883
HIGH7.5EPSS 0.60%semver vulnerable to Regular Expression Denial of Service
發布日:2023/6/21修改日:2026/2/4
描述
Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
受影響套件(2)
- Debian/node-semverfrom 0
- npm/semver>= 7.0.0, < 7.5.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
參考連結(17)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-25883
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-25883
- PATCHhttps://github.com/npm/node-semver
- WEBhttps://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104
- WEBhttps://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104
- WEBhttps://github.com/npm/node-semver/blob/main/internal/re.js%23L138
- WEBhttps://github.com/npm/node-semver/blob/main/internal/re.js%23L160
- WEBhttps://github.com/npm/node-semver/blob/main/internal/re.js#L138
- WEBhttps://github.com/npm/node-semver/blob/main/internal/re.js#L160
- WEBhttps://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0
- WEBhttps://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441
- WEBhttps://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c
- WEBhttps://github.com/npm/node-semver/pull/564
- WEBhttps://github.com/npm/node-semver/pull/585
- WEBhttps://github.com/npm/node-semver/pull/593
- WEBhttps://security.netapp.com/advisory/ntap-20241025-0004
- WEBhttps://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795