[NPM:GHSA-C2QF-RXJJ-QQGW] semver vulnerable to Regular Expression Denial of Service
Severity
Moderate
Affected Packages
3
Fixed Packages
3
CVEs
1
Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
| Package | Affected Version |
|---|---|
 pkg:npm/semver
|
< 5.7.2 |
|
pkg:npm/semver
|
>= 6.0.0, < 6.3.1 |
|
pkg:npm/semver
|
>= 7.0.0, < 7.5.2 |
| Package | Fixed Version |
|---|---|
|
pkg:npm/semver
|
= 5.7.2 |
|
pkg:npm/semver
|
= 6.3.1 |
|
pkg:npm/semver
|
= 7.5.2 |
- ID
- NPM:GHSA-C2QF-RXJJ-QQGW
- Severity
- moderate
- URL
- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
- Published
-
2023-06-21T06:30:28
(15 months ago) - Modified
-
2024-01-08T20:36:49
(8 months ago) - Rights
- NPM Security Team
- Other Advisories
ALSA-2023:5360
ELSA-2023-5360
RHSA-2023:5360| Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
|---|---|---|---|---|---|---|---|
| Affected | pkg:npm/semver |
semver
|
< 5.7.2 | ||||
| Fixed | pkg:npm/semver |
semver
|
= 5.7.2 | ||||
| Affected | pkg:npm/semver |
semver
|
>= 6.0.0 < 6.3.1 | ||||
| Fixed | pkg:npm/semver |
semver
|
= 6.3.1 | ||||
| Affected | pkg:npm/semver |
semver
|
>= 7.0.0 < 7.5.2 | ||||
| Fixed | pkg:npm/semver |
semver
|
= 7.5.2 |
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |