Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Vuln In Semver Dependency #921

Closed
gamboaa opened this issue Jul 7, 2023 · 6 comments
Closed

Security Vuln In Semver Dependency #921

gamboaa opened this issue Jul 7, 2023 · 6 comments

Comments

@gamboaa
Copy link

gamboaa commented Jul 7, 2023

├─┬ jsonwebtoken@9.0.1
│ └── semver@7.3.8 deduped

CVE-2022-25883 (OSSINDEX) 

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

CWE-1333 Inefficient Regular Expression Complexity

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

OSSINDEX - [CVE-2022-25883] CWE-1333
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-25883
OSSIndex - npm/node-semver#564
OSSIndex - https://vuldb.com/?id.232060

Vulnerable Software & Versions (OSSINDEX):

cpe:2.3:a::semver:7.3.8:::::::

@dvasilen
Copy link

See also #914 (comment)

@ched-dev
Copy link

More info: GHSA-c2qf-rxjj-qqgw

@ramy-abbas
Copy link

See also #919

@hugoArregui
Copy link

I'm wondering if semver could become a devDependency instead of a normal dependency

@gabrielenosso
Copy link

Up.
Our pipeline is broken cause of the security issue.

@jakelacey2012
Copy link
Contributor

The fix has been merged in #932 and released as part of the 9.0.2 release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants