Описание
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| node-semver | fixed | 7.5.4+~7.5.0-1 | package | |
| node-semver | no-dsa | bookworm | package | |
| node-semver | no-dsa | bullseye | package | |
| node-semver | no-dsa | buster | package |
Примечания
https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795
https://github.com/npm/node-semver/pull/564
https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441 (v7.5.2)
EPSS
Связанные уязвимости
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
semver vulnerable to Regular Expression Denial of Service
EPSS