Home > Vulnerability Database > CVE-2022-25883

Mend.io Vulnerability Database

CVE-2022-25883

Good to know:

Date: June 21, 2023

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Language: JS

Severity Score

7.5

Related Resources (9)

Url: https://github.com/npm/node-semver/pull/564

Url: https://access.redhat.com/security/cve/CVE-2022-25883

Url: https://github.com/npm/node-semver/blob/main/internal/re.js%23L160

Url: https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104

Url: https://security-tracker.debian.org/tracker/CVE-2022-25883

Url: https://github.com/npm/node-semver/blob/main/internal/re.js%23L138

Url: https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-25883

Url: https://www.mend.io/vulnerability-database/CVE-2022-25883

Severity Score

7.5

Weakness Type (CWE)

Inefficient Regular Expression Complexity

CWE-1333

Top Fix

Upgrade Version

Upgrade to version semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2022-25883

Good to know:

Date: June 21, 2023

Language: JS

Severity Score

Related Resources (9)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?