CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
53.0%
Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
github.com/npm/node-semver
github.com/npm/node-semver/blob/main/classes/range.js#L97-L104
github.com/npm/node-semver/blob/main/internal/re.js#L138
github.com/npm/node-semver/blob/main/internal/re.js#L160
github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0
github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441
github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c
github.com/npm/node-semver/pull/564
github.com/npm/node-semver/pull/585
github.com/npm/node-semver/pull/593
nvd.nist.gov/vuln/detail/CVE-2022-25883
security.snyk.io/vuln/SNYK-JS-SEMVER-3247795