CVE-2022-25883 Overview
CVE-2022-25883 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting versions of the semver package before 7.5.2. The vulnerability exists in the new Range function, which can be exploited when untrusted user data is provided as a range parameter. This allows attackers to cause excessive CPU consumption by providing specially crafted input strings that trigger catastrophic backtracking in the regex engine.
Critical Impact
Applications using vulnerable versions of the semver package to parse user-supplied version range strings are susceptible to denial of service attacks, potentially causing service unavailability and resource exhaustion.
Affected Products
- npmjs semver versions prior to 7.5.2
- Node.js applications using vulnerable semver versions
- Development tools and CI/CD pipelines with semver dependencies
Discovery Timeline
- 2023-06-21 - CVE CVE-2022-25883 published to NVD
- 2025-09-23 - Last updated in NVD database
Technical Details for CVE-2022-25883
Vulnerability Analysis
This vulnerability is classified under CWE-1333 (Inefficient Regular Expression Complexity). The semver package is a widely-used Node.js library for parsing and comparing semantic version strings. The vulnerability resides in the Range class, specifically in how whitespace is processed within version range strings.
The root issue stems from regex patterns in the re.js file that exhibit polynomial time complexity when processing certain inputs. When an attacker provides a maliciously crafted range string with excessive whitespace or specific character patterns, the regex engine enters catastrophic backtracking, consuming significant CPU resources and potentially blocking the event loop.
Root Cause
The vulnerability originates from inefficient regular expression patterns used to parse version range strings. Prior to the fix, the Range class relied on complex regex patterns involving \s* (zero or more whitespace) that could be exploited through carefully constructed input strings. These patterns, when combined with specific input, cause the regex engine to evaluate an exponentially growing number of possible matches.
Attack Vector
The attack is network-exploitable and requires no authentication. An attacker can trigger the vulnerability by:
- Identifying an application endpoint that accepts version range input processed by the vulnerable semver library
- Crafting a malicious input string designed to trigger catastrophic regex backtracking
- Submitting the payload, causing the target application's CPU to spike and potentially become unresponsive
The fix normalizes whitespace before processing, reducing reliance on potentially slow regex patterns:
// Security patch in classes/comparator.js
}
}
+ comp = comp.trim().split(/\s+/).join(' ')
debug('comparator', comp, options)
this.options = options
this.loose = !!options.loose
Source: GitHub Commit 717534ee
The Range class was also patched to preprocess whitespace:
// Security patch in classes/range.js
this.loose = !!options.loose
this.includePrerelease = !!options.includePrerelease
- // First, split based on boolean or ||
+ // First reduce all whitespace as much as possible so we do not have to rely
+ // on potentially slow regexes like \s*. This is then stored and used for
+ // future error messages as well.
this.raw = range
- this.set = range
+ .trim()
+ .split(/\s+/)
+ .join(' ')
+
+ // First, split on ||
+ this.set = this.raw
.split('||')
// map the range to a 2d array of comparators
- .map(r => this.parseRange(r.trim()))
+ .map(r => this.parseRange(r))
// throw out any comparator lists that are empty
// this generally means that it was not a valid range, which is allowed
// in loose mode, but will still throw if the WHOLE range is invalid.
.filter(c => c.length)
if (!this.set.length) {
- throw new TypeError(`Invalid SemVer Range: ${range}`)
+ throw new TypeError(`Invalid SemVer Range: ${this.raw}`)
}
// if we have any that are not the null set, throw out null sets.
Source: GitHub Commit 717534ee
Detection Methods for CVE-2022-25883
Indicators of Compromise
- Unusual CPU spikes on application servers processing version strings
- Slow response times or timeouts on endpoints accepting version range input
- Node.js event loop blocking or application hangs during semver operations
- Monitoring alerts for regex execution timeouts in application logs
Detection Strategies
- Implement Software Composition Analysis (SCA) tools to identify vulnerable semver package versions in your dependency tree
- Use npm audit or yarn audit to detect known vulnerabilities in project dependencies
- Deploy runtime monitoring to detect abnormal CPU usage patterns associated with regex processing
- Review application logs for timeout errors related to version parsing operations
Monitoring Recommendations
- Set up alerting for sustained high CPU utilization on Node.js application servers
- Monitor event loop lag metrics to detect blocking operations
- Implement request timeout thresholds for endpoints processing user-supplied version strings
- Use SentinelOne's Singularity Platform to monitor for process behavior anomalies indicative of DoS conditions
How to Mitigate CVE-2022-25883
Immediate Actions Required
- Update the semver package to version 7.5.2 or later immediately
- Audit your application's dependency tree for transitive dependencies on vulnerable semver versions
- Implement input validation to limit the length and complexity of user-supplied version range strings
- Consider implementing request timeouts on endpoints that process version strings
Patch Information
The vulnerability has been addressed in semver version 7.5.2. The fix preprocesses input strings to normalize whitespace before applying regex patterns, eliminating the conditions that enable catastrophic backtracking. The patch is available via the GitHub Pull Request #564 and GitHub Commit 717534ee.
Additional security information is available in the Snyk Vulnerability Database and NetApp Security Advisory.
Workarounds
- If immediate upgrade is not possible, implement input sanitization to strip excessive whitespace from version range inputs before passing to semver
- Apply request rate limiting on endpoints that accept version range parameters
- Set execution timeouts for semver parsing operations to prevent extended CPU consumption
- Consider using alternative version parsing approaches for user-supplied input validation
# Update semver to the patched version
npm update semver
# Or install the specific patched version
npm install semver@7.5.2
# Audit your project for vulnerable dependencies
npm audit
# Fix vulnerabilities automatically where possible
npm audit fix
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
