Medium severity5.3NVD Advisory· Published Jun 21, 2023· Updated Jun 17, 2026
CVE-2022-25883
CVE-2022-25883
Description
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
semvernpm | >= 7.0.0, < 7.5.2 | 7.5.2 |
semvernpm | >= 6.0.0, < 6.3.1 | 6.3.1 |
semvernpm | >= 2.0.0-alpha, < 5.7.2 | 5.7.2 |
Affected products
12- semver/semverdescription
- osv-coords11 versionspkg:apk/chainguard/nodejs-14pkg:npm/semverpkg:rpm/almalinux/nodejspkg:rpm/almalinux/nodejs-develpkg:rpm/almalinux/nodejs-docspkg:rpm/almalinux/nodejs-full-i18npkg:rpm/almalinux/nodejs-nodemonpkg:rpm/almalinux/nodejs-packagingpkg:rpm/almalinux/nodejs-packaging-bundlerpkg:rpm/almalinux/npmpkg:rpm/opensuse/velociraptor&distro=openSUSE%20Tumbleweed
< 14.21.3-r1+ 10 more
- (no CPE)range: < 14.21.3-r1
- (no CPE)range: >= 7.0.0, < 7.5.2
- (no CPE)range: < 1:16.20.2-2.module_el8.8.0+3614+204d6f43
- (no CPE)range: < 1:16.20.2-2.module_el8.8.0+3614+204d6f43
- (no CPE)range: < 1:16.20.2-2.module_el8.8.0+3614+204d6f43
- (no CPE)range: < 1:16.20.2-2.module_el8.8.0+3614+204d6f43
- (no CPE)range: < 3.0.1-1.module_el8.8.0+3614+204d6f43
- (no CPE)range: < 26-1.module_el8.8.0+3614+204d6f43
- (no CPE)range: < 2021.06-4.module_el8.7.0+3343+ea2b7901
- (no CPE)range: < 1:8.19.4-1.16.20.2.2.module_el8.8.0+3614+204d6f43
- (no CPE)range: < 0.7.0.4.git74.3426c0a-9.1
Patches
Vulnerability mechanics
References
17- github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441nvdPatchThird Party AdvisoryWEB
- github.com/npm/node-semver/pull/564nvdPatchThird Party AdvisoryWEB
- security.snyk.io/vuln/SNYK-JS-SEMVER-3247795nvdExploitPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-c2qf-rxjj-qqgwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25883ghsaADVISORY
- security.netapp.com/advisory/ntap-20241025-0004/nvdThird Party Advisory
- github.com/npm/node-semver/blob/main/classes/range.jsghsaWEB
- github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104nvdBroken LinkWEB
- github.com/npm/node-semver/blob/main/internal/re.jsghsaWEB
- github.com/npm/node-semver/blob/main/internal/re.jsghsaWEB
- github.com/npm/node-semver/blob/main/internal/re.js%23L138nvdBroken LinkWEB
- github.com/npm/node-semver/blob/main/internal/re.js%23L160nvdBroken LinkWEB
- github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0ghsaWEB
- github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920cghsaWEB
- github.com/npm/node-semver/pull/585ghsaWEB
- github.com/npm/node-semver/pull/593ghsaWEB
- security.netapp.com/advisory/ntap-20241025-0004ghsaWEB
News mentions
0No linked articles in our index yet.