GHSA-c2qf-rxjj-qqgw

Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Database specific

{
    "github_reviewed_at": "2023-06-22T16:52:56Z",
    "severity": "HIGH",
    "nvd_published_at": "2023-06-21T05:15:09Z",
    "cwe_ids": [
        "CWE-1333"
    ],
    "github_reviewed": true
}

References

Affected packages

npm / semver

Package

Name: semver; View open source insights on deps.dev
Purl: pkg:npm/semver

Affected ranges

Type: SEMVER
Events: Introduced

7.0.0

Fixed

7.5.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-c2qf-rxjj-qqgw/GHSA-c2qf-rxjj-qqgw.json"

npm / semver

Package

Name: semver; View open source insights on deps.dev
Purl: pkg:npm/semver

Affected ranges

Type: SEMVER
Events: Introduced

6.0.0

Fixed

6.3.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-c2qf-rxjj-qqgw/GHSA-c2qf-rxjj-qqgw.json"

npm / semver

Package

Name: semver; View open source insights on deps.dev
Purl: pkg:npm/semver

Affected ranges

Type: SEMVER
Events: Introduced

2.0.0-alpha

Fixed

5.7.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-c2qf-rxjj-qqgw/GHSA-c2qf-rxjj-qqgw.json"