CVE-2022-25883 Information

Description

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range when untrusted user data is provided as a range.

Reference

https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441 https://github.com/npm/node-semver/blob/main/internal/re.js%23L138 https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795 https://github.com/npm/node-semver/blob/main/internal/re.js%23L160 https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104 https://github.com/npm/node-semver/pull/564