Security Vuln In Semver Dependency

Question

Security Vuln In Semver Dependency

gamboaa opened this issue a year ago · 6 comments

├─┬ jsonwebtoken@9.0.1
│ └── semver@7.3.8 deduped

CVE-2022-25883 (OSSINDEX)

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

CWE-1333 Inefficient Regular Expression Complexity

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

OSSINDEX - [CVE-2022-25883] CWE-1333
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-25883
OSSIndex - npm/node-semver#564
OSSIndex - https://vuldb.com/?id.232060

Vulnerable Software & Versions (OSSINDEX):

cpe:2.3:a::semver:7.3.8:::::::

Answer 1 · 2023-07-18T19:07:25.000Z

See also #919

Answer 4 · 2023-08-03T01:04:57.000Z

I'm wondering if semver could become a devDependency instead of a normal dependency

Answer 5 · 2023-08-17T14:58:27.000Z

Up.
Our pipeline is broken cause of the security issue.

Answer 6 · 2023-08-30T12:36:30.000Z

The fix has been merged in #932 and released as part of the 9.0.2 release.