[GHSA-c2qf-rxjj-qqgw] semver vulnerable to Regular Expression Denial of Service#6771
Conversation
github-actions
bot
changed the base branch from
main
to
ljharb/advisory-improvement-6771
There was a problem hiding this comment.
Pull request overview
Updates the GHSA advisory for semver ReDoS to correct the affected version range based on the fact that semver.Range does not exist in v1.x.
Changes:
- Adjusts the affected range start from
0to2.0.1for the< 5.7.2vulnerable line. - Updates the advisory
modifiedtimestamp.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| { | ||
| "introduced": "0" | ||
| "introduced": "2.0.1" | ||
| }, | ||
| { | ||
| "fixed": "5.7.2" |
There was a problem hiding this comment.
The advisory text in details still says "all other versions before 5.7.2" are vulnerable, which implies v0.x/v1.x are affected. Now that the affected range starts at 2.0.1, please update the details field to reflect the corrected affected versions so the narrative matches the structured affected.ranges data.
|
Do 2.0.0-beta or 2.0.0-alpha contain the vulnerable Range? |
|
https://app.unpkg.com/semver@2.0.0-alpha/files/semver.js does not have a Range class, but https://app.unpkg.com/semver@2.0.0-beta/files/semver.js#L524 does have |
|
https://app.unpkg.com/semver@2.0.0-alpha/files/semver.js#L427 seems to start the Range function for 2.0.0-alpha. |
|
oh whoops, nice find. both are vulnerable, then. |
advisory-database
bot
merged commit 256d1c1
into
ljharb/advisory-improvement-6771
|
Hi @ljharb! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
|
@JonathanLEvans this was merged as "introduced in 2.0.1", but it seems like that should be "2.0.0-alpha" based on our discussion? |
|
ah, nvm, i see GHSA-c2qf-rxjj-qqgw correctly includes the prereleases. |
2 participants
Updates
Comments
Versions 1.0.0 through 1.1.4 (all v1.x) are NOT affected by this vulnerability. These versions do not have the Range class - semver.Range is undefined in v1.x. The vulnerable code path (Range constructor with regex parsing) does not exist in v1.x. Testing confirms the PoC (new semver.Range(payload)) fails with semver.Range is not a constructor on all v1.x versions. The affected range should start at 2.0.1, which is the first version containing the vulnerable Range class.