NodeJS/semver/5.5.1
The semantic version parser used by npm.
https://www.npmjs.com/package/semver
ISC
1 Security Vulnerabilities
semver vulnerable to Regular Expression Denial of Service
Published date: 2023-06-21T06:30:28Z
CVE: CVE-2022-25883
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2022-25883
- https://github.com/npm/node-semver/pull/564
- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441
- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795
- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104
- https://github.com/npm/node-semver/blob/main/internal/re.js#L138
- https://github.com/npm/node-semver/blob/main/internal/re.js#L160
- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
- https://github.com/npm/node-semver/pull/585
- https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c
- https://github.com/npm/node-semver/pull/593
- https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0
Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Affected versions:
["7.0.0", "7.1.0", "7.1.1", "7.1.2", "7.1.3", "7.2.0", "7.2.1", "7.2.2", "7.2.3", "7.3.0", "7.3.1", "7.3.2", "7.3.3", "7.3.4", "7.3.5", "7.3.6", "7.3.7", "7.3.8", "7.4.0", "7.5.0", "7.5.1", "1.0.0", "1.0.1", "1.0.2", "1.0.3", "1.0.4", "1.0.5", "1.0.6", "1.0.7", "1.0.8", "1.0.9", "1.0.10", "1.0.11", "1.0.12", "1.0.13", "1.0.14", "1.1.0", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "2.0.0-alpha", "2.0.0-beta", "2.0.1", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9", "2.0.10", "2.0.11", "2.1.0", "2.2.0", "2.2.1", "2.3.0", "2.3.1", "2.3.2", "3.0.0", "3.0.1", "4.0.0", "4.0.2", "4.0.3", "4.1.0", "4.1.1", "4.2.0", "4.2.1", "4.2.2", "4.3.0", "4.3.1", "4.3.2", "4.3.3", "4.3.4", "4.3.5", "4.3.6", "5.0.0", "5.0.1", "5.0.2", "5.0.3", "5.1.0", "5.1.1", "5.2.0", "5.3.0", "5.4.0", "5.4.1", "5.5.0", "5.5.1", "5.6.0", "5.7.0", "5.7.1", "6.0.0", "6.1.0", "6.1.1", "6.1.2", "6.1.3", "6.2.0", "6.3.0"]
Secure versions:
[7.5.2, 7.5.3, 7.5.4, 5.7.2, 6.3.1, 7.6.0, 7.6.1, 7.6.2, 7.6.3]
Recommendation:
Update to version 7.6.3.
108 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
1.0.7 | MIT | 3 | 2011-06-17 - 16:26 | over 13 years |
1.0.6 | MIT | 3 | 2011-05-21 - 00:09 | over 13 years |
1.0.5 | ISC | 3 | 2011-05-03 - 23:11 | over 13 years |
1.0.4 | ISC | 3 | 2011-04-21 - 07:32 | over 13 years |
1.0.3 | ISC | 3 | 2011-04-19 - 23:29 | over 13 years |
1.0.2 | ISC | 3 | 2011-03-22 - 21:27 | over 13 years |
1.0.1 | ISC | 3 | 2011-02-18 - 17:15 | over 13 years |
1.0.0 | ISC | 3 | 2011-02-12 - 00:20 | over 13 years |