CVE-2022-25883
Regular Expression Denial of Service vulnerability in semver (npm)
What is CVE-2022-25883 About?
The 'semver' package is vulnerable to a Regular Expression Denial of Service (ReDoS) when processing untrusted user data as a version range. This can lead to a denial of service for applications using the affected versions of the library. Exploitation is relatively easy for an attacker who can supply malicious version range strings.
Affected Software
- semver
- >7.0.0, <7.5.2
- <5.7.2
- >6.0.0, <6.3.1
Technical Details
The vulnerability is a Regular Expression Denial of Service (ReDoS) affecting 'semver' versions before 7.5.2 (on 7.x branch), before 6.3.1 (on 6.x branch), and all other versions before 5.7.2. It specifically occurs within the new Range function when parsing untrusted user-supplied data as a version range. The regular expressions used in this function exhibit catastrophic backtracking characteristics. An attacker can craft a complex or malformed version range string that, when processed by the new Range function, causes the regex engine to consume an excessive amount of CPU time. This leads to the application becoming unresponsive or crashing, thus resulting in a denial of service.
What is the Impact of CVE-2022-25883?
Successful exploitation may allow attackers to cause a denial of service (DoS) condition, making the affected service unresponsive or unavailable to legitimate users.
What is the Exploitability of CVE-2022-25883?
Exploitation involves supplying a specially crafted, malicious version range string to the new Range function of the 'semver' library. This is typically a remote attack if the application accepts user input that is then parsed as a semantic version range. No authentication or special privileges are required. The complexity is low as it's a matter of crafting the correct input string. The primary risk factor is any application that accepts untrusted, user-supplied input and passes it directly to the 'semver' library for range parsing without imposing length limits or other sanitization. The ease of exploitation is high, as an attacker only needs to send the malicious string.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-25883?
About the Fix from Resolved Security
The patch normalizes and collapses excessive whitespace in version range and comparator strings before processing, and introduces "safe" regular expressions that avoid greedy whitespace patterns, which together prevent regex denial-of-service (ReDoS) via maliciously-crafted inputs with large amounts of spaces. This directly addresses CVE-2022-25883 by ensuring that user inputs cannot trigger exponential backtracking in vulnerable regexes, thus fixing the ReDoS vulnerability.
Available Upgrade Options
- semver
- <5.7.2 → Upgrade to 5.7.2
- semver
- >6.0.0, <6.3.1 → Upgrade to 6.3.1
- semver
- >7.0.0, <7.5.2 → Upgrade to 7.5.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795
- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104
- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795
- https://github.com/npm/node-semver/pull/593
- https://security.netapp.com/advisory/ntap-20241025-0004/
- https://osv.dev/vulnerability/GHSA-c2qf-rxjj-qqgw
- https://github.com/npm/node-semver/blob/main/internal/re.js#L138
- https://github.com/npm/node-semver/pull/585
- https://github.com/npm/node-semver/blob/main/internal/re.js%23L160
- https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104
What are Similar Vulnerabilities to CVE-2022-25883?
Similar Vulnerabilities: CVE-2022-25881 , CVE-2021-3918 , CVE-2021-42200 , CVE-2021-45061 , CVE-2021-44716
