Search
Find a vulnerability
Search criteria
2 vulnerabilities found for semver by npmjs
CVE-2022-25883 (GCVE-0-2022-25883)
Vulnerability from nvd – Published: 2023-06-21 05:00 – Updated: 2024-12-06 16:55
VLAI
EPSS
VEX
Summary
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Severity
5.3 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
7 references
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-10-25T13:07:28.542Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/npm/node-semver/pull/564"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441"
},
{
"url": "https://security.netapp.com/advisory/ntap-20241025-0004/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-25883",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T16:54:52.064322Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T16:55:09.228Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "semver",
"vendor": "n/a",
"versions": [
{
"lessThan": "7.5.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Alessio Della Libera - Snyk Research Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.\r\r\r"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Regular Expression Denial of Service (ReDoS)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-21T05:00:03.352Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"url": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795"
},
{
"url": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160"
},
{
"url": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138"
},
{
"url": "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104"
},
{
"url": "https://github.com/npm/node-semver/pull/564"
},
{
"url": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2022-25883",
"datePublished": "2023-06-21T05:00:03.352Z",
"dateReserved": "2022-02-24T11:58:25.192Z",
"dateUpdated": "2024-12-06T16:55:09.228Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-25883 (GCVE-0-2022-25883)
Vulnerability from cvelistv5 – Published: 2023-06-21 05:00 – Updated: 2024-12-06 16:55
VLAI
EPSS
VEX
Summary
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Severity
5.3 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
7 references
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-10-25T13:07:28.542Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/npm/node-semver/pull/564"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441"
},
{
"url": "https://security.netapp.com/advisory/ntap-20241025-0004/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-25883",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T16:54:52.064322Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T16:55:09.228Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "semver",
"vendor": "n/a",
"versions": [
{
"lessThan": "7.5.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Alessio Della Libera - Snyk Research Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.\r\r\r"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Regular Expression Denial of Service (ReDoS)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-21T05:00:03.352Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"url": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795"
},
{
"url": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160"
},
{
"url": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138"
},
{
"url": "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104"
},
{
"url": "https://github.com/npm/node-semver/pull/564"
},
{
"url": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2022-25883",
"datePublished": "2023-06-21T05:00:03.352Z",
"dateReserved": "2022-02-24T11:58:25.192Z",
"dateUpdated": "2024-12-06T16:55:09.228Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}