Plattform
nodejs
Komponente
semver
Behoben in
7.5.2
CVE-2022-25883 identifies a Denial of Service (DoS) vulnerability within the semver package. This vulnerability stems from a Regular Expression Denial of Service (ReDoS) condition triggered when the 'new Range' function processes untrusted user-supplied data. Affected versions include those prior to 7.5.2 on the 7.x branch, versions before 6.3.1 on the 6.x branch, and all versions before 5.7.2. Upgrading to version 7.5.2 resolves this issue.
The core impact of CVE-2022-25883 is a potential Denial of Service. An attacker can craft malicious input designed to exploit the ReDoS vulnerability within the new Range function. This crafted input will cause the regular expression engine to consume excessive CPU resources, potentially leading to a complete service outage or significant performance degradation. The blast radius is limited to applications directly utilizing the vulnerable semver package, but widespread adoption means many projects could be affected. Successful exploitation could disrupt critical application functionality and impact user experience.
CVE-2022-25883 was published on June 21, 2023. There is no indication of active exploitation campaigns targeting this vulnerability at the time of writing. The EPSS score is currently not available, but given the nature of ReDoS vulnerabilities and the potential for easy exploitation, it warrants careful attention. Public Proof-of-Concept (PoC) code is likely to emerge, increasing the risk of exploitation.
Exploit-Status
EPSS
0.58% (69% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2022-25883 is to upgrade the semver package to version 7.5.2 or later. If an immediate upgrade is not feasible due to compatibility concerns or breaking changes, consider implementing input validation on the range string provided to the new Range function. Specifically, restrict the input to a known safe format. Web application firewalls (WAFs) configured to detect and block ReDoS patterns might offer a temporary layer of protection, but this is not a substitute for patching. After upgrading, confirm the vulnerability is resolved by attempting to trigger the new Range function with a known malicious input string and verifying that it no longer causes excessive CPU usage.
Actualiza el paquete semver a la versión 7.5.2 o superior para mitigar la vulnerabilidad de ReDoS. Asegúrate de revisar las dependencias de tu proyecto para identificar cualquier instancia donde se esté utilizando una versión vulnerable de semver. La actualización se puede realizar utilizando el gestor de paquetes npm.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2022-25883 is a Denial of Service vulnerability in the semver package, allowing attackers to trigger a ReDoS via the 'new Range' function with malicious input, potentially causing service outages.
You are affected if you are using semver versions prior to 7.5.2 (7.x), 6.3.1 (6.x), or 5.7.2. Check your project dependencies immediately.
Upgrade the semver package to version 7.5.2 or later. If immediate upgrade is not possible, implement input validation on the range string.
There is currently no evidence of active exploitation, but the vulnerability's nature makes it a potential target, and PoCs are likely to emerge.
Refer to the semver package's advisory on npm: https://www.npmjs.com/advisories/1003
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.