semver vulnerable to Regular Expression Denial of Service
High severity
GitHub Reviewed
Published
Jun 21, 2023
to the GitHub Advisory Database
•
Updated Dec 6, 2024
Package
Affected versions
>= 7.0.0, < 7.5.2
>= 6.0.0, < 6.3.1
< 5.7.2
Patched versions
7.5.2
6.3.1
5.7.2
Description
Published by the National Vulnerability Database
Jun 21, 2023
Published to the GitHub Advisory Database
Jun 21, 2023
Reviewed
Jun 22, 2023
Last updated
Dec 6, 2024
Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
References