Semver veracode Vulnerability CVE-2022-25883 | CWE-1333

Question

Semver veracode Vulnerability CVE-2022-25883 | CWE-1333

SanthoshReddyTR opened this issue a year ago · 4 comments

Is there an existing issue for this?

I have searched the existing issues

Current Behavior

semver is vulnerable to Regular Expression Denial Of Service (ReDoS)
attacks. A malicious user is able to cause parsing slowdowns when
untrusted user data is provided as a range via the function
parseRange due to the usage of regex expression with inefficient
time complexity.

Please find the below screenshot

Expected Behavior

No response

Steps To Reproduce

No response

Environment

npm: 6.14.8
Node: v14.15.0
OS: WINDOWS
platform: Dell

Answer 1 · 2023-08-17T09:06:15.000Z

I am getting above said Vulnerabilities on Veracode scan, Please suggest me a resolution for this.

Answer 2 · 2023-08-17T15:48:17.000Z

Update to a supported version of node, or update to at least node v14.17.0 which is the minimum version that npm version 9 supports. Newer versions of npm do not have this alert.

Node release/support info is at https://github.com/nodejs/release#release-schedule

Answer 3 · 2023-08-25T07:09:54.000Z

As per suggestion we have upgraded to node v18x, still vulnerability exist. kindly help here and path its showing

Affected package file path: usr/local/lib/node_modules/npm/node_modules/semver/package.json
Affect package version:7.5.1
Affect package fix version: 7.5.2
Finding Title: CVE-2022-25883 - semver

Answer 4 · 2023-08-25T13:44:25.000Z

it doesn't look like node has backported a fix to v18. nodejs/node#48835