Regular Expression Denial of Service

Module: semver

Published: April 4th, 2015

Reported by: Adam Baldwin

CVE-2015-8855

CWE-400

Vulnerable: <4.3.2
Patched: >=4.3.2

Overview

Versions 4.3.1 and earlier of semver are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.

Remediation

Update to version 4.3.2 or later

References

Regular Expression Denial of Service - OWASP