Описание
Regular Expression Denial of Service in semver
Versions 4.3.1 and earlier of semver are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.
Recommendation
Update to version 4.3.2 or later
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2015-8855
- https://github.com/advisories/GHSA-x6fg-f45m-jf5q
- https://www.npmjs.com/advisories/31
- https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS
- http://www.openwall.com/lists/oss-security/2016/04/20/11
- http://www.securityfocus.com/bid/86957
Пакеты
semver
< 4.3.2
4.3.2
Связанные уязвимости
The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."
The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."
The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."
The semver package before 4.3.2 for Node.js allows attackers to cause ...