Security Vuln In Semver Dependency #921
Comments
|
See also #914 (comment) |
|
More info: GHSA-c2qf-rxjj-qqgw |
|
See also #919 |
|
I'm wondering if semver could become a |
|
Up. |
3 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
├─┬ jsonwebtoken@9.0.1
│ └── semver@7.3.8 deduped
CVE-2022-25883 (OSSINDEX)
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
CWE-1333 Inefficient Regular Expression Complexity
CVSSv3:
Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
OSSINDEX - [CVE-2022-25883] CWE-1333
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-25883
OSSIndex - npm/node-semver#564
OSSIndex - https://vuldb.com/?id.232060
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a::semver:7.3.8:::::::
The text was updated successfully, but these errors were encountered: