CVE-2015-8855: Regular Expression Denial of Service in semver

October 24, 2017 (updated September 21, 2021)

The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a “regular expression denial of service (ReDoS).”

References

www.openwall.com/lists/oss-security/2016/04/20/11
www.securityfocus.com/bid/86957
github.com/advisories/GHSA-x6fg-f45m-jf5q
nodesecurity.io/advisories/31
nvd.nist.gov/vuln/detail/CVE-2015-8855
www.npmjs.com/advisories/31
www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS

Code Behaviors & Features

Detect and mitigate CVE-2015-8855 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →