{"api_version":"1","generated_at":"2026-04-22T22:50:51+00:00","cve":"CVE-2022-25883","urls":{"html":"https://cve.report/CVE-2022-25883","api":"https://cve.report/api/cve/CVE-2022-25883.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-25883","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-25883"},"summary":{"title":"CVE-2022-25883","description":"Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.","state":"PUBLIC","assigner":"report@snyk.io","published_at":"2023-06-21 05:15:00","updated_at":"2023-11-07 03:44:00"},"problem_types":["CWE-1333"],"metrics":[],"references":[{"url":"https://github.com/npm/node-semver/blob/main/internal/re.js%23L138","name":"https://github.com/npm/node-semver/blob/main/internal/re.js%23L138","refsource":"MISC","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":""},{"url":"https://github.com/npm/node-semver/blob/main/internal/re.js%23L160","name":"https://github.com/npm/node-semver/blob/main/internal/re.js%23L160","refsource":"MISC","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":""},{"url":"https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795","name":"https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795","refsource":"MISC","tags":[],"title":"Regular Expression Denial of Service (ReDoS) in semver | CVE-2022-25883 | Snyk","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104","name":"https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104","refsource":"MISC","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":""},{"url":"https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441","name":"https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441","refsource":"MISC","tags":[],"title":"fix: better handling of whitespace (#564) · npm/node-semver@717534e · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/npm/node-semver/pull/564","name":"https://github.com/npm/node-semver/pull/564","refsource":"MISC","tags":[],"title":"fix: better handling of whitespace by lukekarrys · Pull Request #564 · npm/node-semver · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104","name":"MISC:https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104","refsource":"MITRE","tags":[],"title":"node-semver/range.js at main · npm/node-semver · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/npm/node-semver/blob/main/internal/re.js#L138","name":"MISC:https://github.com/npm/node-semver/blob/main/internal/re.js%23L138","refsource":"MITRE","tags":[],"title":"node-semver/internal/re.js at main · npm/node-semver · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/npm/node-semver/blob/main/internal/re.js#L160","name":"MISC:https://github.com/npm/node-semver/blob/main/internal/re.js%23L160","refsource":"MITRE","tags":[],"title":"node-semver/internal/re.js at main · npm/node-semver · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-25883","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25883","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"25883","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"npmjs","cpe5":"semver","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-25883","qid":"160945","title":"Oracle Enterprise Linux Security Update for 18 (ELSA-2023-5363)"},{"cve":"CVE-2022-25883","qid":"160946","title":"Oracle Enterprise Linux Security Update for nodejs:18 (ELSA-2023-5362)"},{"cve":"CVE-2022-25883","qid":"160947","title":"Oracle Enterprise Linux Security Update for nodejs:16 (ELSA-2023-5360)"},{"cve":"CVE-2022-25883","qid":"242084","title":"Red Hat Update for nodejs:18 security (RHSA-2023:5363)"},{"cve":"CVE-2022-25883","qid":"242085","title":"Red Hat Update for nodejs:16 security (RHSA-2023:5361)"},{"cve":"CVE-2022-25883","qid":"242086","title":"Red Hat Update for nodejs:18 security (RHSA-2023:5362)"},{"cve":"CVE-2022-25883","qid":"242087","title":"Red Hat Update for nodejs:16 security (RHSA-2023:5360)"},{"cve":"CVE-2022-25883","qid":"242105","title":"Red Hat Update for JBoss Enterprise Application Platform 7.4.1 on RHEL 9 (RHSA-2023:5486)"},{"cve":"CVE-2022-25883","qid":"242106","title":"Red Hat Update for JBoss Enterprise Application Platform 7.4.1 on RHEL 7 (RHSA-2023:5484)"},{"cve":"CVE-2022-25883","qid":"242122","title":"Red Hat Update for JBoss Enterprise Application Platform 7.4.1 on RHEL 8 (RHSA-2023:5485)"},{"cve":"CVE-2022-25883","qid":"355802","title":"Amazon Linux Security Advisory for nodejs : ALAS2023-2023-290"},{"cve":"CVE-2022-25883","qid":"907082","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for nodejs18 (27208-1)"},{"cve":"CVE-2022-25883","qid":"907107","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for nodejs (27207-1)"},{"cve":"CVE-2022-25883","qid":"941273","title":"AlmaLinux Security Update for nodejs:18 (ALSA-2023:5362)"},{"cve":"CVE-2022-25883","qid":"941274","title":"AlmaLinux Security Update for nodejs:16 (ALSA-2023:5360)"},{"cve":"CVE-2022-25883","qid":"941275","title":"AlmaLinux Security Update for nodejs:18 (ALSA-2023:5363)"},{"cve":"CVE-2022-25883","qid":"961024","title":"Rocky Linux Security Update for nodejs:18 (RLSA-2023:5363)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2022-25883","ASSIGNER":"report@snyk.io","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.\r\r\r"}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Regular Expression Denial of Service (ReDoS)","cweId":"CWE-1333"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"semver","version":{"version_data":[{"version_affected":"<","version_name":"0","version_value":"7.5.2"}]}}]}}]}},"references":{"reference_data":[{"url":"https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795","refsource":"MISC","name":"https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795"},{"url":"https://github.com/npm/node-semver/blob/main/internal/re.js%23L160","refsource":"MISC","name":"https://github.com/npm/node-semver/blob/main/internal/re.js%23L160"},{"url":"https://github.com/npm/node-semver/blob/main/internal/re.js%23L138","refsource":"MISC","name":"https://github.com/npm/node-semver/blob/main/internal/re.js%23L138"},{"url":"https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104","refsource":"MISC","name":"https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104"},{"url":"https://github.com/npm/node-semver/pull/564","refsource":"MISC","name":"https://github.com/npm/node-semver/pull/564"},{"url":"https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441","refsource":"MISC","name":"https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441"}]},"credits":[{"lang":"en","value":"Alessio Della Libera - Snyk Research Team"}],"impact":{"cvss":[{"version":"3.1","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW","baseScore":5.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P"}]}},"nvd":{"publishedDate":"2023-06-21 05:15:00","lastModifiedDate":"2023-11-07 03:44:00","problem_types":["CWE-1333"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:npmjs:semver:*:*:*:*:*:node.js:*:*","versionEndExcluding":"5.7.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:npmjs:semver:*:*:*:*:*:node.js:*:*","versionStartIncluding":"6.0.0","versionEndExcluding":"6.3.1","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:npmjs:semver:*:*:*:*:*:node.js:*:*","versionStartIncluding":"7.0.0","versionEndExcluding":"7.5.2","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}