Skip to content

[GHSA-x6fg-f45m-jf5q] Regular Expression Denial of Service in semver#7102

Merged
advisory-database[bot] merged 1 commit intoljharb/advisory-improvement-7102from
ljharb-GHSA-x6fg-f45m-jf5q
Mar 3, 2026
Merged

[GHSA-x6fg-f45m-jf5q] Regular Expression Denial of Service in semver#7102
advisory-database[bot] merged 1 commit intoljharb/advisory-improvement-7102from
ljharb-GHSA-x6fg-f45m-jf5q

Conversation

@ljharb
Copy link

@ljharb ljharb commented Mar 3, 2026
edited
Loading

Updates

  • Affected products

Comments
The affected version range should be narrowed. Versions prior to 1.0.4 are NOT vulnerable to CVE-2015-8855.

The ReDoS vulnerability is caused by \s* whitespace quantifiers in the version parsing regex. These were introduced in commit 5c4c9f6e26c7 ("Close #2 Also, docs."), first published as v1.0.4.

In semver <= 1.0.3 (tag v1.0.3, commit a685e01b), the semver regex is:
[v=]*([0-9]+).([0-9]+).([0-9]+)
This has NO whitespace quantifiers and cannot exhibit catastrophic backtracking.

Starting in v1.0.4, the regex became:
\s*[v=]\s([0-9]+).([0-9]+).([0-9]+)
When composed into expressions.parse as ^\s*\s*[v=]\s...\s*$, the adjacent \s* quantifiers create O(n^2) backtracking on whitespace-padded inputs.

Evidence:

Replaces #7101.

Copilot AI review requested due to automatic review settings March 3, 2026 19:28
@github-actions github-actions bot changed the base branch from main to ljharb/advisory-improvement-7102 March 3, 2026 19:29
Copilot AI reviewed Mar 3, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the GHSA advisory for CVE-2015-8855 / GHSA-x6fg-f45m-jf5q to reflect that the ReDoS vulnerability in the semver npm package was introduced starting in v1.0.4, narrowing the affected version range.

Changes:

  • Update the advisory modified timestamp.
  • Narrow the affected range by changing the first introduced event from 0 to 1.0.4.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

advisories/github-reviewed/2017/10/GHSA-x6fg-f45m-jf5q/GHSA-x6fg-f45m-jf5q.json
Comment on lines 27 to 31
{
"introduced": "0"
"introduced": "1.0.4"
},
{
"fixed": "4.3.2"
Copy link

Copilot AI Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The affected range was narrowed to start at 1.0.4, but the details text still says "Versions 4.3.1 and earlier ... are affected", which implies all versions <= 4.3.1 (including 1.0.3 and earlier). Please update details to match the new range (e.g., affected versions 1.0.4 through 4.3.1).

Copilot uses AI. Check for mistakes.
@advisory-database advisory-database bot merged commit c6505b6 into ljharb/advisory-improvement-7102 Mar 3, 2026
7 of 9 checks passed
@advisory-database
Copy link
Contributor

advisory-database bot commented Mar 3, 2026

Hi @ljharb! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@advisory-database advisory-database bot deleted the ljharb-GHSA-x6fg-f45m-jf5q branch March 3, 2026 20:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ljharb