JFrog Security Research
< Back

XRAY-211349 - semver-regex ReDoS

CVE-2021-43307 | CVSS 5.9

JFrog Severity:medium

Discovered ByDenys Vozniukof the JFrog Security Research Team

Published 30 May, 2022 | Last updated 30 May, 2022

Exponential ReDoS in semver-regex leads to denial of service


semver-regex (,3.1.3]|[4.0.0,4.0.2], fixed in 3.1.4 and 4.0.3

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test method

'0.0.1-' + '-.--'.repeat(i) + ' '

No mitigations are supplied for this issue


< Back