dancefinder/dancefinder-app
5
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Activity

semver vulnerable to Regular Expression Denial of Service #28

New Issue
Closed
opened 2023-07-18 04:47:31 +00:00 by argoyle · 0 comments
argoyle commented 2023-07-18 04:47:31 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

⚠️ dependabot-gitlab has detected security vulnerability for semver in path: /, manifest_file: /package.json but was unable to update it! ⚠️

Package Severity Affected versions Patched versions IDs
semver (NPM) MODERATE < 5.7.2 5.7.2 GHSA-c2qf-rxjj-qqgw,CVE-2022-25883

Description

Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

References

⚠️ `dependabot-gitlab` has detected security vulnerability for `semver` in path: `/`, manifest_file: `/package.json` but was unable to update it! ⚠️ * https://github.com/advisories/GHSA-c2qf-rxjj-qqgw | Package | Severity | Affected versions | Patched versions | IDs | |--------------|----------|-------------------|------------------|----------------------------------------| | semver (NPM) | MODERATE | < 5.7.2 | 5.7.2 | `GHSA-c2qf-rxjj-qqgw`,`CVE-2022-25883` | # Description Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. # References * https://nvd.nist.gov/vuln/detail/CVE-2022-25883 * https://github.com/npm/node-semver/pull/564 * https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441 * https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795 * https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104 * https://github.com/npm/node-semver/blob/main/internal/re.js#L138 * https://github.com/npm/node-semver/blob/main/internal/re.js#L160 * https://github.com/npm/node-semver/pull/585 * https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c * https://github.com/npm/node-semver/pull/593 * https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0 * https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
argoyle (Migrated from gitlab.com) closed this issue 2023-07-22 07:57:25 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
dependencies
Pull requests that update a dependency file
 docker
javascript
security
Pull requests that address a security vulnerability
 severity:critical
severity:high
severity:low
severity:moderate
No Label security severity:moderate
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
argoyle (Joakim Olsson) buildtools (Buildtools) kubernetes (Kubernetes) releaser (Unbound Releaser) renovate (Renovate Bot)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: dancefinder/dancefinder-app#28
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?