CVE-2022-25883 - How a Vulnerability in Semver Could Let Attackers Stall Your Node.js App
If you’re working in the Node.js ecosystem, there’s a good chance you rely on the popular semver package for version parsing and comparison. That’s why CVE-2022-25883 is important: this issue, found in versions of semver before 7.5.2, allowed an attacker to make your app very slow or even unavailable by sending cleverly crafted input. Let’s break down how and why, and see how to protect your projects.
What is CVE-2022-25883?
CVE-2022-25883 is a Regular Expression Denial of Service (ReDoS) vulnerability found in the new Range function provided by semver. If you pass it untrusted user data as a version range—a common thing in web APIs, package managers, or CI systems—it may hang or become very slow.
Affected package:
semver
Affected versions:
Before 7.5.2
The Root of the Problem: Complex Regular Expressions
At the heart of this problem is the use of a complex regular expression inside the new Range constructor. It processes version ranges like '1.2.3 - 4.5.6' to determine which versions are allowed. But regular expressions can take a long time to process when given inputs designed to confuse them—for example, lots of repeating or nested elements.
This state is called _catastrophic backtracking_ and is the classic cause of ReDoS.
Let’s see an example. Imagine you run code like this (with a vulnerable semver version)
const semver = require('semver'); // semver < 7.5.2
const maliciousRange = '1.2.3' + '!'.repeat(10000) + 'A';
try {
new semver.Range(maliciousRange);
console.log('Done!');
} catch (e) {
console.error('Error:', e);
}
What this does:
That time increases with the number of ! characters.
On a busy server, an attacker could send several of these "evil" ranges, quickly tying up your Node.js event loop. Other users would see timeouts or server errors.
Relies on semver.Range with untrusted data
If you’re parsing only developer-written code or hardcoded ranges, you’re less exposed.
How do I Fix It?
Upgrade your semver package to version 7.5.2 or later.
This version changes the range regular expression logic, making it much more robust against slow inputs.
You can update with:
npm install semver@latest
or, to a specific version
npm install semver@^7.5.2
How Was This Discovered?
The issue was reported via Huntr.dev and tracked in GitHub Issue #543. The problem was confirmed by the package maintainers, who published a patch.
Official advisory:
- GitHub Security Advisory GHSA-c2qf-rxjj-qqgw
What Can an Attacker Actually Do?
This bug is denial of service only: attackers can crash your server or make it very slow, but they can’t steal data or escalate privileges through this vector.
Exploit Example:
A real-world attacker might POST or supply a payload like this
{
"range": "1.2.3" + "!".repeat(50000) + "A"
}
If your code parses it with semver.Range, that worker or process will hang.
Key Takeaways
- Never parse untrusted user input with vulnerable dependencies, especially those using regular expressions.
References
- Original Advisory: GHSA-c2qf-rxjj-qqgw
- Semver Fix Pull Request
- Huntr.dev Exploit Report
- OWASP ReDoS Explanation
In summary:
_CVE-2022-25883 is a clear example of how regular expressions can be dangerous in critical code. Don’t wait—review your dependencies and update semver today to protect your project._
Timeline
Published on: 06/21/2023 05:15:00 UTC
Last modified on: 07/12/2023 00:53:00 UTC