Headline
CVE-2022-25883: fix: better handling of whitespace (#564) · npm/node-semver@717534e
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Expand Up @@ -26,19 +26,26 @@ class Range { this.loose = !!options.loose this.includePrerelease = !!options.includePrerelease
// First, split based on boolean or || // First reduce all whitespace as much as possible so we do not have to rely // on potentially slow regexes like \s*. This is then stored and used for // future error messages as well. this.raw = range this.set = range .trim() .split(/\s+/) .join(' ')
// First, split on || this.set = this.raw .split(‘||’) // map the range to a 2d array of comparators .map(r => this.parseRange(r.trim())) .map(r => this.parseRange®) // throw out any comparator lists that are empty // this generally means that it was not a valid range, which is allowed // in loose mode, but will still throw if the WHOLE range is invalid. .filter(c => c.length)
if (!this.set.length) { throw new TypeError(`Invalid SemVer Range: ${range}`) throw new TypeError(`Invalid SemVer Range: ${this.raw}`) }
// if we have any that are not the null set, throw out null sets. Expand All @@ -64,9 +71,7 @@ class Range {
format () { this.range = this.set .map((comps) => { return comps.join(' ').trim() }) .map((comps) => comps.join(' ').trim()) .join(‘||’) .trim() return this.range Expand All @@ -77,8 +82,6 @@ class Range { }
parseRange (range) { range = range.trim()
// memoize range parsing for performance. // this is a very hot path, and fully deterministic. const memoOpts = Expand All @@ -105,9 +108,6 @@ class Range { // `^ 1.2.3` => `^1.2.3` range = range.replace(re[t.CARETTRIM], caretTrimReplace)
// normalize spaces range = range.split(/\s+/).join(' ')
// At this point, the range is completely trimmed and // ready to be split into comparators.
Expand Down Expand Up @@ -203,7 +203,7 @@ const Comparator = require(‘./comparator’) const debug = require(‘…/internal/debug’) const SemVer = require(‘./semver’) const { re, safeRe: re, t, comparatorTrimReplace, tildeTrimReplace, Expand Down Expand Up @@ -257,10 +257,13 @@ const isX = id => !id || id.toLowerCase() === ‘x’ || id === ‘*’ // ~1.2.3, ~>1.2.3 --> >=1.2.3 <1.3.0-0 // ~1.2.0, ~>1.2.0 --> >=1.2.0 <1.3.0-0 // ~0.0.1 --> >=0.0.1 <0.1.0-0 const replaceTildes = (comp, options) => comp.trim().split(/\s+/).map(© => { return replaceTilde(c, options) }).join(' ') const replaceTildes = (comp, options) => { return comp .trim() .split(/\s+/) .map(© => replaceTilde(c, options)) .join(' ') }
const replaceTilde = (comp, options) => { const r = options.loose ? re[t.TILDELOOSE] : re[t.TILDE] Expand Down Expand Up @@ -298,10 +301,13 @@ const replaceTilde = (comp, options) => { // ^1.2.0 --> >=1.2.0 <2.0.0-0 // ^0.0.1 --> >=0.0.1 <0.0.2-0 // ^0.1.0 --> >=0.1.0 <0.2.0-0 const replaceCarets = (comp, options) => comp.trim().split(/\s+/).map(© => { return replaceCaret(c, options) }).join(' ') const replaceCarets = (comp, options) => { return comp .trim() .split(/\s+/) .map(© => replaceCaret(c, options)) .join(' ') }
const replaceCaret = (comp, options) => { debug('caret’, comp, options) Expand Down Expand Up @@ -358,9 +364,10 @@ const replaceCaret = (comp, options) => {
const replaceXRanges = (comp, options) => { debug('replaceXRanges’, comp, options) return comp.split(/\s+/).map(© => { return replaceXRange(c, options) }).join(' ') return comp .split(/\s+/) .map(© => replaceXRange(c, options)) .join(' ') }
const replaceXRange = (comp, options) => { Expand Down Expand Up @@ -443,12 +450,15 @@ const replaceXRange = (comp, options) => { const replaceStars = (comp, options) => { debug('replaceStars’, comp, options) // Looseness is ignored here. star is always as loose as it gets! return comp.trim().replace(re[t.STAR], ‘’) return comp .trim() .replace(re[t.STAR], ‘’) }
const replaceGTE0 = (comp, options) => { debug('replaceGTE0’, comp, options) return comp.trim() return comp .trim() .replace(re[options.includePrerelease ? t.GTE0PRE : t.GTE0], ‘’) }
Expand Down Expand Up @@ -486,7 +496,7 @@ const hyphenReplace = incPr => ($0, to = `<=${to}` }
return (`${from} ${to}`).trim() return `${from} ${to}`.trim() }
const testSet = (set, version, options) => { Expand Down
Related news
Red Hat Security Advisory 2024-0719-03 - Migration Toolkit for Runtimes 1.2.4 release. Issues addressed include a denial of service vulnerability.
IBM QRadar WinCollect Agent 10.0 through 10.1.7 could allow a privileged user to obtain sensitive information due to missing best practices. IBM X-Force ID: 213551.
Red Hat Security Advisory 2023-5486-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.13 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.12 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.13 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include denial of service and deserialization vulnerabilities.
Red Hat Security Advisory 2023-5485-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.13 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.12 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.13 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include denial of service and deserialization vulnerabilities.
Red Hat Security Advisory 2023-5488-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.13 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.12 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.13 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include denial of service and deserialization vulnerabilities.
A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25883: A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in node-semver package via the 'new Range' function. This issue could allow an attacker to pass untrusted malicious regex user data as a range, causing the service to excessively consume CPU depending upon the input size, resulting in a denial of servi...
Red Hat Security Advisory 2023-5379-01 - Network Observability 1.4.0. Issues addressed include a denial of service vulnerability.
Network Observability is an OpenShift operator that deploys a monitoring pipeline to collect and enrich network flows that are produced by the Network Observability eBPF agent. The operator provides dashboards, metrics, and keeps flows accessible in a queryable log store, Grafana Loki. When a FlowCollector is deployed, new dashboards are available in the Console. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25883: A Regular Expression Denial of Service (ReDoS) vulne...
Red Hat Security Advisory 2023-5362-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include bypass and denial of service vulnerabilities.
Red Hat Security Advisory 2023-5361-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling, bypass, and denial of service vulnerabilities.
Red Hat Security Advisory 2023-5360-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include bypass and denial of service vulnerabilities.
Red Hat Security Advisory 2023-5363-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include bypass and denial of service vulnerabilities.
An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25883: A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in node-semver package via the 'new Range' function. This issue could allow an attacker to pass untrusted malicious regex user data as a range, causing the service to excessively consume CPU depending upon the input size, resulting in a denial of service. * ...
An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25883: A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in node-semver package via the 'new Range' function. This issue could allow an attacker to pass untrusted malicious regex user data as a range, causing the service to excessively consume CPU depending upon the input size, resulting in a denial of service. * ...
An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25883: A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in node-semver package via the 'new Range' function. This issue could allow an attacker to pass untrusted malicious regex user data as a range, causing the service to excessively consume CPU depending upon the input size, resulting ...
Red Hat Security Advisory 2023-4341-01 - Red Hat OpenShift bug fix and security update. Red Hat Product Security has rated this update as having a security impact of Low. Issues addressed include a denial of service vulnerability.
Logging Subsystem 5.7.4 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25883: A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in node-semver package via the 'new Range' function. This issue could allow an attacker to pass untrusted malicious regex user data as a range, causing the service to excessively consume CPU depending upon the input size, resulting in a denial of service. * CVE-2023-22796: A flaw was found in rubygem-ac...
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.