Low severityNVD Advisory· Published Jun 1, 2022· Updated Sep 17, 2024

Exponential ReDoS in semver-regex

CVE-2021-43307

Description

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
semver-regexnpm	< 3.1.4	3.1.4
semver-regexnpm	>= 4.0.0, < 4.0.3	4.0.3

Affected products

osv-coords9 versions
pkg:apk/chainguard/pgadmin4 pkg:apk/chainguard/pgadmin4-oci-entrypoint pkg:apk/chainguard/pgadmin4-pg12 pkg:apk/chainguard/pgadmin4-pg13 pkg:apk/chainguard/pgadmin4-pg14 pkg:apk/chainguard/pgadmin4-pg15 pkg:apk/chainguard/pgadmin4-pg16 pkg:apk/chainguard/pgadmin4-pg17 pkg:npm/semver-regex
< 9.1-r1+ 8 more
- (no CPE)range: < 9.1-r1
- (no CPE)range: < 9.1-r1
- (no CPE)range: < 9.1-r1
- (no CPE)range: < 9.1-r1
- (no CPE)range: < 9.1-r1
- (no CPE)range: < 9.1-r1
- (no CPE)range: < 9.1-r1
- (no CPE)range: < 9.1-r1
- (no CPE)range: < 3.1.4
semver-regex/semver-regexcpe-rescue
Range: unspecified

Patches

Vulnerability mechanics

References

github.com/advisories/GHSA-4x5v-gmq8-25chghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-43307ghsaADVISORY
github.com/sindresorhus/semver-regex/commit/d8ba39a528c1027c43ab23f12eec28ca4d40dd0cghsaWEB
research.jfrog.com/vulnerabilities/semver-regex-redos-xray-211349ghsaWEB
research.jfrog.com/vulnerabilities/semver-regex-redos-xray-211349/mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000