Platform
nodejs
Component
semver-regex
Fixed in
3.1.3
4.0.1
3.1.3
CVE-2021-3795 is a Denial of Service (DoS) vulnerability affecting the semver-regex package, a popular Node.js library used for validating semantic versioning strings. This vulnerability allows an attacker to trigger excessive CPU usage by providing specially crafted semver strings, potentially leading to service disruption or denial of service. The vulnerability impacts versions of semver-regex prior to 3.1.3, and a patch has been released.
The core of this vulnerability lies in the regular expression used by semver-regex to parse semantic versioning strings. A maliciously crafted input string, designed to exploit the complexity of the regular expression, can cause it to enter an infinite loop or consume an excessive amount of CPU resources. This can effectively overwhelm the Node.js process, making it unresponsive and potentially crashing the application. The blast radius extends to any application relying on the vulnerable semver-regex package, particularly those handling user-supplied version information or interacting with external systems that provide version strings.
This vulnerability was publicly disclosed on September 20, 2021. While no active exploitation campaigns have been definitively linked to CVE-2021-3795, the ease of triggering the vulnerability with a simple crafted string makes it a potential target for opportunistic attackers. It is not currently listed on CISA KEV. Public proof-of-concept code is readily available, demonstrating the vulnerability's exploitability.
Exploit Status
EPSS
0.23% (45% percentile)
CVSS Vector
The primary mitigation for CVE-2021-3795 is to upgrade the semver-regex package to version 3.1.3 or higher. This patched version includes a revised regular expression that avoids the problematic complexity. If upgrading is not immediately feasible, consider implementing input validation to sanitize semver strings before passing them to semver-regex. This could involve limiting the length of the input or enforcing a stricter format. While a WAF is unlikely to directly address this, rate limiting requests containing version strings could help mitigate the impact of a DoS attack. After upgrading, confirm the fix by testing the application with various semver strings, including potentially malicious ones, to ensure the CPU usage remains within acceptable limits.
Update the semver-regex dependency to version 4.0.1 or higher. If you are using a version 3.x, update to version 3.1.3 or higher. This corrects the inefficient regular expression complexity vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2021-3795 is a Denial of Service vulnerability in the semver-regex Node.js package, allowing attackers to cause excessive CPU usage with crafted version strings.
You are affected if your project uses semver-regex versions prior to 3.1.3. Check your package.json file and run npm audit semver-regex to confirm.
Upgrade the semver-regex package to version 3.1.3 or higher using npm install [email protected] or your preferred package manager.
While no confirmed active exploitation campaigns are publicly known, the ease of exploitation makes it a potential target.
Refer to the npm advisory for CVE-2021-3795: https://www.npmjs.com/advisories/1811
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.