CVE-2022-25883

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2022-25883

Severity

7.5

High

CVSS CVSS_V3

Description

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

References

https://images.chainguard.dev/security/CGA-xmx9-rvv8-j9xq
https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
https://images.chainguard.dev/security/CGA-366x-x757-62f9
https://images.chainguard.dev/security/CGA-8fm8-5xq4-cc7g
https://github.com/npm/node-semver/pull/564
https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795
https://security.netapp.com/advisory/ntap-20241025-0004/
https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441
https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104
https://github.com/npm/node-semver/blob/main/internal/re.js%23L138
https://github.com/npm/node-semver/blob/main/internal/re.js%23L160
https://security-tracker.debian.org/tracker/CVE-2022-25883

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

Safe Source for Open Source™

Private Policy

CVE-2022-25883

Severity

Description

References

Affected packages

Products

Why Chainguard

Customers

Company

Resources