Skip to content

[SECURITY] semver vulnerable to Regular Expression Denial of Service #2

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
NullDev opened this issue Jul 2, 2023 · 1 comment
Closed

[SECURITY] semver vulnerable to Regular Expression Denial of Service #2

NullDev opened this issue Jul 2, 2023 · 1 comment
Labels
security Security issues & Vulnerabilities

Comments

@NullDev
Copy link
Owner

NullDev commented Jul 2, 2023
edited
Loading

@babel/core depends on vulnerable versions of semver.
Babel uses Semver v6 for backwards compatibility. It's fixed in v7.
We are currently waiting on a backport of the fix to v6.
So is babel and vscode.

See here:
npm/node-semver#564 (comment)
babel/babel#15720 (comment)

Links to audits, CVE, etc.:
GHSA-c2qf-rxjj-qqgw
https://nvd.nist.gov/vuln/detail/CVE-2022-25883

Note that this currently is not a problem but rather just an inconvenience.
The vulnerability takes effect when user input is passed to semver, which babel does not do.
@NullDev NullDev added the security Security issues & Vulnerabilities label Jul 2, 2023
@NullDev NullDev pinned this issue Jul 2, 2023
@NullDev
Copy link
Owner Author

NullDev commented Jul 5, 2023

UPDATE: Probably have to wait for update from babel. Backport has been made
npm/node-semver#564 (comment)

@NullDev NullDev closed this as completed Mar 26, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
security Security issues & Vulnerabilities
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@NullDev