Security Vuln In Semver Dependency
gamboaa opened this issue · 6 comments
├─┬ jsonwebtoken@9.0.1
│ └── semver@7.3.8 deduped
CVE-2022-25883 (OSSINDEX)
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
CWE-1333 Inefficient Regular Expression Complexity
CVSSv3:
Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
OSSINDEX - [CVE-2022-25883] CWE-1333
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-25883
OSSIndex - npm/node-semver#564
OSSIndex - https://vuldb.com/?id.232060
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a::semver:7.3.8:::::::
See also #914 (comment)
More info: GHSA-c2qf-rxjj-qqgw
See also #919
I'm wondering if semver could become a devDependency
instead of a normal dependency
Up.
Our pipeline is broken cause of the security issue.