semver vulnerable to Regular Expression Denial of Service
Moderate severity
GitHub Reviewed
Published
Jun 21, 2023
to the GitHub Advisory Database
•
Updated Feb 14, 2024
Package
Affected versions
>= 7.0.0, < 7.5.2
>= 6.0.0, < 6.3.1
< 5.7.2
Patched versions
7.5.2
6.3.1
5.7.2
Description
Published by the National Vulnerability Database
Jun 21, 2023
Published to the GitHub Advisory Database
Jun 21, 2023
Reviewed
Jun 22, 2023
Last updated
Feb 14, 2024
Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
References