CVE-2022-25883

MEDIUM

npmjs/semver <5.7.2 and >=7.0.0 <7.5.2 - Regular Expression Denial of Service via Range Function

Title source: llm

Description

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

References (7)

Core 7

Core References

Broken Link

https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104

Broken Link

https://github.com/npm/node-semver/blob/main/internal/re.js%23L138

Broken Link

https://github.com/npm/node-semver/blob/main/internal/re.js%23L160

Patch, Third Party Advisory

https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441

View Patch ZIP pw:eip

Patch, Third Party Advisory

https://github.com/npm/node-semver/pull/564

Exploit, Patch, Third Party Advisory

https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795

Third Party Advisory

https://security.netapp.com/advisory/ntap-20241025-0004/

Scores

CVSS v3 5.3

EPSS 0.0248

EPSS Percentile 82.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-1333

Status published

Products (2)

npm/semver 7.0.0 - 7.5.2npm

npmjs/semver < 5.7.2

Published Jun 21, 2023

Tracked Since Feb 18, 2026