CVE-2015-8855: Regular Expression Denial of Service in semver
(updated )
Versions 4.3.1 and earlier of semver are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.
References
- github.com/advisories/GHSA-x6fg-f45m-jf5q
- github.com/github/advisory-database/pull/7102
- github.com/npm/node-semver
- github.com/npm/node-semver/commit/5c4c9f6e26c7052a42b5ced2a7481c5c9b4363a0
- github.com/npm/node-semver/commit/c80180d8341a8ada0236815c29a2be59864afd70
- nvd.nist.gov/vuln/detail/CVE-2015-8855
- www.npmjs.com/advisories/31
- www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS
Code Behaviors & Features
Detect and mitigate CVE-2015-8855 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →