CVE-2022-25883 – nodejs-semver: Regular expression denial of service

https://notcve.org/view.php?id=CVE-2022-25883

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in node-semver package via the 'new Range' function. This issue could allow an attacker to pass untrusted malicious regex user data as a range, causing the service to excessively consume CPU depending upon the input size, resulting in a denial of service. • https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104 https://github.com/npm/node-semver/blob/main/internal/re.js%23L138 https://github.com/npm/node-semver/blob/main/internal/re.js%23L160 https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441 https://github.com/npm/node-semver/pull/564 https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795 https://access.redhat.com/security/cve/CVE-2022-25883 https://bugzilla.redhat.com/show_bug.cg • CWE-1333: Inefficient Regular Expression Complexity •