Plattform
nodejs
Komponente
semver-regex
Behoben in
3.1.3
4.0.1
3.1.3
CVE-2021-3795 describes a Denial of Service (DoS) vulnerability affecting the semver-regex package, a popular Node.js library used for validating semantic versioning strings. This vulnerability allows an attacker to trigger excessive CPU usage by crafting malicious semver strings, potentially leading to service disruption or instability. The vulnerability impacts versions of semver-regex prior to 3.1.3, and a patch has been released to address the issue.
The core of the vulnerability lies in an inefficient regular expression used by semver-regex to parse semantic versioning strings. A carefully constructed input string can cause the regular expression engine to enter a state of exponential backtracking, consuming excessive CPU resources. This can effectively render the application or service utilizing semver-regex unresponsive, leading to a denial of service. The impact is particularly severe in environments where semver-regex is used in critical components or exposed to untrusted input, such as API endpoints or command-line tools. While direct remote code execution is not possible, the DoS condition can be leveraged to disrupt services and potentially facilitate other attacks.
CVE-2021-3795 was publicly disclosed on September 20, 2021. While no active exploitation campaigns have been definitively linked to this vulnerability, the ease of triggering the DoS condition makes it a potential target for opportunistic attackers. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, demonstrating the vulnerability's ease of exploitation.
Applications and services built on Node.js that utilize the semver-regex package for version validation or processing are at risk. This includes projects that handle user-provided version information, interact with package managers, or rely on external systems that provide version strings. Specifically, projects using older versions of npm or yarn that automatically install vulnerable dependencies are particularly susceptible.
• nodejs / server:
npm list semver-regexIf the output shows a version prior to 3.1.3, the system is vulnerable. • nodejs / server:
npm audit semver-regexThis command will identify vulnerable packages in your project.
• nodejs / supply-chain: Examine package.json files for dependencies on semver-regex and check their versions.
disclosure
Exploit-Status
EPSS
0.23% (45% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2021-3795 is to upgrade the semver-regex package to version 3.1.3 or later. This version incorporates a more efficient regular expression that prevents the backtracking issue. If upgrading is not immediately feasible due to compatibility constraints or breaking changes, consider implementing input validation to sanitize semver strings before passing them to semver-regex. This could involve limiting the length or complexity of the input. While not a complete solution, this can reduce the likelihood of triggering the vulnerability. There are no specific WAF rules or detection signatures readily available for this vulnerability, as it's primarily a code-level issue. After upgrading, confirm the fix by testing with known malicious semver strings to ensure CPU usage remains within acceptable limits.
Aktualisieren Sie die semver-regex-Abhängigkeit auf Version 4.0.1 oder höher. Wenn Sie Version 3.x verwenden, aktualisieren Sie auf Version 3.1.3 oder höher. Dies behebt die Ineffiziente Reguläre Ausdruckskomplexität-Schwachstelle.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2021-3795 is a Denial of Service vulnerability in the semver-regex Node.js package, allowing attackers to cause excessive CPU usage with crafted version strings.
You are affected if your project uses semver-regex versions prior to 3.1.3. Check your package.json file and run npm audit semver-regex to confirm.
Upgrade the semver-regex package to version 3.1.3 or higher using npm install [email protected] or your preferred package manager.
While no confirmed active exploitation campaigns are publicly known, the ease of exploitation makes it a potential target.
Refer to the npm advisory for CVE-2021-3795: https://www.npmjs.com/advisories/1811
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.