Scan free
HIGHCVE-2021-3795CVSS 7.5

CVE-2021-3795: DoS in semver-regex Node.js Package

Platform

nodejs

Component

semver-regex

Fixed in

3.1.3

4.0.1

3.1.3

AI Confidence: highNVDEPSS 0.2%Reviewed: May 2026
View on NVD
Save

CVE-2021-3795 is a Denial of Service (DoS) vulnerability affecting the semver-regex package, a popular Node.js library used for validating semantic versioning strings. This vulnerability allows an attacker to trigger excessive CPU usage by providing specially crafted semver strings, potentially leading to service disruption or denial of service. The vulnerability impacts versions of semver-regex prior to 3.1.3, and a patch has been released.

Impact and Attack Scenarios

The core of this vulnerability lies in the regular expression used by semver-regex to parse semantic versioning strings. A maliciously crafted input string, designed to exploit the complexity of the regular expression, can cause it to enter an infinite loop or consume an excessive amount of CPU resources. This can effectively overwhelm the Node.js process, making it unresponsive and potentially crashing the application. The blast radius extends to any application relying on the vulnerable semver-regex package, particularly those handling user-supplied version information or interacting with external systems that provide version strings.

Exploitation Context

This vulnerability was publicly disclosed on September 20, 2021. While no active exploitation campaigns have been definitively linked to CVE-2021-3795, the ease of triggering the vulnerability with a simple crafted string makes it a potential target for opportunistic attackers. It is not currently listed on CISA KEV. Public proof-of-concept code is readily available, demonstrating the vulnerability's exploitability.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
NextGuard100% still vulnerable

EPSS

0.23% (45% percentile)

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H7.5HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentsemver-regex
Vendorosv
Affected rangeFixed in
3.1.23.1.3
4.0.04.0.1
3.1.3

Package Information

Last updated
4.0.548 months ago

Weakness Classification (CWE)

CWE-1333

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Patched -9 days after disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2021-3795 is to upgrade the semver-regex package to version 3.1.3 or higher. This patched version includes a revised regular expression that avoids the problematic complexity. If upgrading is not immediately feasible, consider implementing input validation to sanitize semver strings before passing them to semver-regex. This could involve limiting the length of the input or enforcing a stricter format. While a WAF is unlikely to directly address this, rate limiting requests containing version strings could help mitigate the impact of a DoS attack. After upgrading, confirm the fix by testing the application with various semver strings, including potentially malicious ones, to ensure the CPU usage remains within acceptable limits.

How to fix

Update the semver-regex dependency to version 4.0.1 or higher. If you are using a version 3.x, update to version 3.1.3 or higher. This corrects the inefficient regular expression complexity vulnerability.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2021-3795 — DoS in semver-regex?

CVE-2021-3795 is a Denial of Service vulnerability in the semver-regex Node.js package, allowing attackers to cause excessive CPU usage with crafted version strings.

Am I affected by CVE-2021-3795 in semver-regex?

You are affected if your project uses semver-regex versions prior to 3.1.3. Check your package.json file and run npm audit semver-regex to confirm.

How do I fix CVE-2021-3795 in semver-regex?

Upgrade the semver-regex package to version 3.1.3 or higher using npm install [email protected] or your preferred package manager.

Is CVE-2021-3795 being actively exploited?

While no confirmed active exploitation campaigns are publicly known, the ease of exploitation makes it a potential target.

Where can I find the official semver-regex advisory for CVE-2021-3795?

Refer to the npm advisory for CVE-2021-3795: https://www.npmjs.com/advisories/1811

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs