CVE-2022-25883

NameCVE-2022-25883
DescriptionVersions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-semver (PTS)buster5.5.1-1vulnerable
bullseye7.3.4-1vulnerable
bookworm7.3.5+~7.3.9-2vulnerable
sid, trixie7.6.1+~7.5.8-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-semversource(unstable)7.5.4+~7.5.0-1

Notes

[bookworm] - node-semver <no-dsa> (Minor issue)
[bullseye] - node-semver <no-dsa> (Minor issue)
[buster] - node-semver <no-dsa> (Minor issue)
https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795
https://github.com/npm/node-semver/pull/564
https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441 (v7.5.2)

Search for package or bug name: Reporting problems