PT-2023-4569 · Npm+6 · Semver+7

Alessio Della Libera

·

Published

2023-06-21

·

Updated

2026-03-17

·

CVE-2022-25883

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions semver versions prior to 7.5.2 semver versions prior to 6.3.1 on the 6.x branch semver versions prior to 5.7.2
Description The issue is related to the use of a regular expression with inefficient computational complexity in the semver package, which can lead to a Regular Expression Denial of Service (ReDoS) via the new Range function when untrusted user data is provided as a range. This can allow a remote attacker to cause a denial of service.
Recommendations For semver versions prior to 7.5.2, update to version 7.5.2 or later. For semver versions prior to 6.3.1 on the 6.x branch, update to version 6.3.1 or later. For semver versions prior to 5.7.2, update to version 5.7.2 or later. As a temporary workaround, consider restricting the use of the new Range function to trusted input only until a patch is available.

Exploit

Fix

DoS

Weakness Enumeration

CWE-1333

Related Identifiers

ALSA-2023:5360
ALSA-2023:5362
ALSA-2023:5363
AZL-27207
AZL-27208
AZL-43534
AZL-43717
AZL-44694
AZL-45168
BDU:2023-04976
CESA-2023_5360
CESA-2023_5362
CVE-2022-25883
GHSA-C2QF-RXJJ-QQGW
OPENSUSE-SU-2024:14012-1
RHSA-2023:5360
RHSA-2023:5361
RHSA-2023:5362
RHSA-2023:5363
RHSA-2023:5484
RHSA-2023:5485
RHSA-2023:5486
RHSA-2023_5360
RHSA-2023_5362
RHSA-2023_5363
RLSA-2023:5363

Affected Products

Almalinux
Bitbucket
Centos
Confluence
Debian
Red Hat
Rocky Linux
Semver