Home > Vulnerability Database > CVE-2022-25883

Mend.io Vulnerability Database

CVE-2022-25883

Good to know:

Date: June 21, 2023

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Language: JS

Severity Score

5.3

Related Resources (19)

Url: https://github.com/npm/node-semver

Url: https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104

Url: https://github.com/npm/node-semver/blob/main/internal/re.js#L160

Url: https://security-tracker.debian.org/tracker/CVE-2022-25883

Url: https://github.com/npm/node-semver/blob/main/internal/re.js#L138

Url: https://security.netapp.com/advisory/ntap-20241025-0004

Url: https://github.com/npm/node-semver/pull/593

Url: https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441

Url: https://github.com/npm/node-semver/blob/main/internal/re.js%23L138

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-25883

Url: https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c

Url: https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0

Url: https://github.com/npm/node-semver/pull/585

Url: https://github.com/npm/node-semver/pull/564

Url: https://access.redhat.com/security/cve/CVE-2022-25883

Url: https://security.netapp.com/advisory/ntap-20241025-0004/

Url: https://github.com/npm/node-semver/blob/main/internal/re.js%23L160

Url: https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104

Url: https://www.mend.io/vulnerability-database/CVE-2022-25883

Severity Score

5.3

Weakness Type (CWE)

Inefficient Regular Expression Complexity

CWE-1333

Top Fix

Upgrade Version

Upgrade to version semver - 5.7.2;semver - 6.3.1;semver - 7.5.2

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2022-25883

Good to know:

Date: June 21, 2023

Language: JS

Severity Score

Related Resources (19)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?