Regular Expression Denial of Service (ReDoS) Vulnerability in package semver

Issue date: 12-03-2025
Affects versions: 16.1, 15.7

Security Issue ID

SECURITY-485

Affected Product Version(s)

15.7.0 and 16.1.0 (and previous patch releases)

Severity

High

Description

CVE-2022-25883

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

CVSS v3 Base Score: 7.5

CWE-1333: Inefficient Regular Expression Complexity

Instructions

Customers are recommended to upgrade to the latest version. As of the time of writing, 16.2.0.

Get Started

Build a Website

Relevance Trail

Feed an AngularJS App

Deploy in BloomReach Cloud

Use Blue-Green Deployment in BloomReach Cloud

Understand

Implement

Extend

Integrate

Run

Upgrade

Develop

Use

Bloomreach Documentation version

Regular Expression Denial of Service (ReDoS) Vulnerability in package semver