PT-2023-4569 · Npm+6 · Semver+7

Alessio Della Libera

·

Publicado

2023-06-21

·

Atualizado

2026-06-04

·

CVE-2022-25883

CVSS v2.0

7.8

Alta

VetorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions semver versions prior to 7.5.2 semver versions prior to 6.3.1 on the 6.x branch semver versions prior to 5.7.2
Description The issue is related to the use of a regular expression with inefficient computational complexity in the semver package, which can lead to a Regular Expression Denial of Service (ReDoS) via the new Range function when untrusted user data is provided as a range. This can allow a remote attacker to cause a denial of service.
Recommendations For semver versions prior to 7.5.2, update to version 7.5.2 or later. For semver versions prior to 6.3.1 on the 6.x branch, update to version 6.3.1 or later. For semver versions prior to 5.7.2, update to version 5.7.2 or later. As a temporary workaround, consider restricting the use of the new Range function to trusted input only until a patch is available.

Exploit

Correção

DoS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-1333

Identificadores relacionados

ALSA-2023:5360
ALSA-2023:5362
ALSA-2023:5363
AZL-27207
AZL-27208
AZL-43534
AZL-43717
AZL-44694
AZL-45168
BDU:2023-04976
CESA-2023_5360
CESA-2023_5362
CVE-2022-25883
GHSA-C2QF-RXJJ-QQGW
OPENSUSE-SU-2024:14012-1
RHSA-2023:5360
RHSA-2023:5361
RHSA-2023:5362
RHSA-2023:5363
RHSA-2023:5484
RHSA-2023:5485
RHSA-2023:5486
RHSA-2023_5360
RHSA-2023_5362
RHSA-2023_5363
RLSA-2023:5363

Produtos afetados

Almalinux
Bitbucket
Centos
Confluence
Debian
Red Hat
Rocky Linux
Semver