| Name | CVE-2022-25883 |
| Description | Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
|
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| node-semver (PTS) | jessie | 2.1.0-2 | vulnerable |
| stretch | 5.3.0-1 | vulnerable |
| buster | 5.5.1-1 | vulnerable |
| bullseye | 7.3.4-1 | vulnerable |
| bookworm | 7.3.5+~7.3.9-2 | vulnerable |
| sid, trixie | 7.6.1+~7.5.8-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| node-semver | source | jessie | (unfixed) | end-of-life | | |
| node-semver | source | stretch | (unfixed) | end-of-life | | |
| node-semver | source | (unstable) | 7.5.4+~7.5.0-1 | | | |
Notes
[bookworm] - node-semver <no-dsa> (Minor issue)
[bullseye] - node-semver <no-dsa> (Minor issue)
[buster] - node-semver <no-dsa> (Minor issue)
https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795
https://github.com/npm/node-semver/pull/564
https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441 (v7.5.2)