NodeJS/semver/5.0.1
The semantic version parser used by npm.
https://www.npmjs.com/package/semver
ISC
1 Security Vulnerabilities
semver vulnerable to Regular Expression Denial of Service
Published date: 2023-06-21T06:30:28Z
CVE: CVE-2022-25883
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2022-25883
- https://github.com/npm/node-semver/pull/564
- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441
- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795
- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104
- https://github.com/npm/node-semver/blob/main/internal/re.js#L138
- https://github.com/npm/node-semver/blob/main/internal/re.js#L160
- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
- https://github.com/npm/node-semver/pull/585
- https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c
- https://github.com/npm/node-semver/pull/593
- https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0
- https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104
- https://github.com/npm/node-semver/blob/main/internal/re.js%23L138
- https://github.com/npm/node-semver/blob/main/internal/re.js%23L160
- https://security.netapp.com/advisory/ntap-20241025-0004
Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Affected versions:
["7.0.0", "7.1.1", "7.2.0", "7.2.2", "7.3.0", "7.3.1", "7.3.2", "7.1.0", "7.1.2", "7.1.3", "7.2.1", "7.2.3", "7.3.3", "7.3.4", "7.3.5", "7.3.6", "7.3.7", "7.3.8", "7.4.0", "7.5.0", "7.5.1", "1.0.0", "1.0.1", "1.0.3", "1.0.4", "1.0.6", "1.0.8", "1.0.10", "1.0.11", "1.0.12", "1.0.13", "1.1.0", "1.1.2", "1.1.4", "2.0.0-alpha", "2.0.0-beta", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.7", "2.0.10", "2.0.11", "2.1.0", "2.2.1", "2.3.0", "2.3.2", "3.0.0", "3.0.1", "4.0.0", "4.0.2", "4.2.0", "4.3.0", "4.3.1", "4.3.2", "4.3.3", "4.3.4", "4.3.6", "5.0.1", "5.0.2", "5.2.0", "5.3.0", "5.5.1", "5.6.0", "5.7.1", "1.0.2", "1.0.5", "1.0.7", "1.0.9", "1.0.14", "1.1.1", "1.1.3", "2.0.3", "2.0.6", "2.0.8", "2.0.9", "2.2.0", "2.3.1", "4.0.3", "4.1.0", "4.1.1", "4.2.1", "4.2.2", "4.3.5", "5.0.0", "5.0.3", "5.1.0", "5.1.1", "5.4.0", "5.4.1", "5.5.0", "5.7.0", "6.0.0", "6.1.0", "6.1.2", "6.1.3", "6.2.0", "6.3.0", "6.1.1"]
Secure versions:
[5.7.2, 6.3.1, 7.5.2, 7.5.3, 7.5.4, 7.6.0, 7.6.1, 7.6.2, 7.6.3, 7.7.0, 7.7.1, 7.7.2]
Recommendation:
Update to version 7.7.2.
111 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 1.0.10 | MIT | 3 | 2011-10-04 - 01:51 | over 13 years |
| 1.0.9 | MIT | 3 | 2011-07-20 - 21:38 | almost 14 years |
| 1.0.8 | MIT | 3 | 2011-06-27 - 21:58 | about 14 years |
| 1.0.7 | MIT | 3 | 2011-06-17 - 16:26 | about 14 years |
| 1.0.6 | MIT | 3 | 2011-05-21 - 00:09 | about 14 years |
| 1.0.5 | ISC | 3 | 2011-05-03 - 23:11 | about 14 years |
| 1.0.4 | ISC | 3 | 2011-04-21 - 07:32 | about 14 years |
| 1.0.3 | ISC | 3 | 2011-04-19 - 23:29 | about 14 years |
| 1.0.2 | ISC | 3 | 2011-03-22 - 21:27 | over 14 years |
| 1.0.1 | ISC | 3 | 2011-02-18 - 17:15 | over 14 years |
| 1.0.0 | ISC | 3 | 2011-02-12 - 00:20 | over 14 years |