npm package
semver
pkg:npm/semver
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-25883 | — | >= 7.0.0, < 7.5.2 | 7.5.2 | Jun 21, 2023 | Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. | ||
| CVE-2015-8855 | Hig | 7.5 | >= 1.0.4, < 4.3.2 | 4.3.2 | Jan 23, 2017 | The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)." |
- CVE-2022-25883Jun 21, 2023affected >= 7.0.0, < 7.5.2fixed 7.5.2
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
- affected >= 1.0.4, < 4.3.2fixed 4.3.2
The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."