CVE-2022-25883 — semver vulnerable to Regular Expression Denial of Service

Description

Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

How to fix CVE-2022-25883

To remediate CVE-2022-25883, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 7.5.2 or later

Is CVE-2022-25883 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
>= 7.0.0, < 7.5.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (17)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-25883
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-25883
PATCHgithub.com/npm/node-semver
WEBgithub.com/npm/node-semver/blob/main/classes/range.js%23L97-L104
WEB