semver is a semantic version parser used by npm.
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The semver module uses regular expressions when parsing a version string. For a carefully crafted input, the time it takes to process these regular expressions is not linear to the length of the input. Since the semver module did not enforce a limit on the version string length, an attacker could provide a long string that would take up a large amount of resources, potentially taking a server down. This issue therefore enables a potential Denial of Service attack. This is a slightly differnt variant of a typical Regular Expression Denial of Service (ReDoS) vulnerability.
Update to a version 4.3.2 or greater. From the issue description : "Package version can no longer be more than 256 characters long. This prevents a situation in which parsing the version number can use exponentially more time and memory to parse, leading to a potential denial of service."
semver to version 4.3.2 or higher.
Snyk patch available for versions:
- <4.3.2 >= 2.0.2