CVE-2015-8855
Regular Expression Denial of Service (ReDoS) vulnerability in semver (npm)
What is CVE-2015-8855 About?
Versions 4.3.1 and earlier of the `semver` package are vulnerable to a Regular Expression Denial of Service (ReDoS) attack. This occurs when parsing extremely long version strings, causing excessive processing time and potentially leading to a denial of service. Exploitation typically involves sending a crafted, lengthy input string, making it relatively straightforward for an attacker.
Affected Software
Technical Details
The semver package, specifically versions 4.3.1 and earlier, is susceptible to a Regular Expression Denial of Service (ReDoS) vulnerability. This flaw exists within the regular expressions used by the package to parse and validate version strings. When an attacker provides an extremely long and specifically crafted version string as input, the regular expression engine enters a state of catastrophic backtracking. This causes an exponential increase in processing time for the input, consuming excessive CPU resources. As a result, the application or server processing the malicious input becomes unresponsive or crashes, leading to a denial of service for legitimate users.
What is the Impact of CVE-2015-8855?
Successful exploitation may allow attackers to cause a denial of service, making the affected application or server unresponsive to legitimate requests.
What is the Exploitability of CVE-2015-8855?
Exploiting this vulnerability involves crafting an extremely long string that triggers the ReDoS condition. This is a low-complexity attack requiring no authentication or special privileges if the semver parsing function is exposed to user-controlled input. This can be a remote attack if the application processes version strings from external sources (e.g., HTTP requests, configuration files). The main constraint is identifying an input vector that is processed by the vulnerable semver library. The likelihood of exploitation is high in applications that parse untrusted or user-supplied version strings, as it can be easily triggered with malicious input.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2015-8855?
Available Upgrade Options
- semver
- <4.3.2 → Upgrade to 4.3.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nodesecurity.io/advisories/31
- https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS
- https://www.npmjs.com/advisories/31
- https://osv.dev/vulnerability/GHSA-x6fg-f45m-jf5q
- http://www.securityfocus.com/bid/86957
- http://www.openwall.com/lists/oss-security/2016/04/20/11
- https://nvd.nist.gov/vuln/detail/CVE-2015-8855
- http://www.openwall.com/lists/oss-security/2016/04/20/11
- https://github.com/advisories/GHSA-x6fg-f45m-jf5q
- http://www.securityfocus.com/bid/86957
What are Similar Vulnerabilities to CVE-2015-8855?
Similar Vulnerabilities: CVE-2015-8378 , CVE-2016-10756 , CVE-2017-1000041 , CVE-2017-1000042 , CVE-2017-1000043
