Regular Expression Denial of Service (ReDoS)

Affecting semver package, versions <4.3.2

Do your applications use this vulnerable package? Test your applications

Overview

semver is a semantic version parser used by npm.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).

Overview

npm is a package manager for javascript.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The semver module uses regular expressions when parsing a version string. For a carefully crafted input, the time it takes to process these regular expressions is not linear to the length of the input. Since the semver module did not enforce a limit on the version string length, an attacker could provide a long string that would take up a large amount of resources, potentially taking a server down. This issue therefore enables a potential Denial of Service attack. This is a slightly differnt variant of a typical Regular Expression Denial of Service (ReDoS) vulnerability.

Details

<<ReDoS>>

Remediation

Update to a version 4.3.2 or greater. From the issue description [2]: "Package version can no longer be more than 256 characters long. This prevents a situation in which parsing the version number can use exponentially more time and memory to parse, leading to a potential denial of service."

References

Remediation

Upgrade semver to version 4.3.2 or higher.

References

Snyk patch available for versions:

CVSS Score

5.3
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    None
  • Availability
    Low
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Credit
Adam Baldwin
CVE
CVE-2015-8855
CWE
CWE-400
Snyk ID
npm:semver:20150403
Disclosed
03 Apr, 2015
Published
03 Apr, 2015