All semver CVEs — Complete Vulnerability History
semver is the npm package for parsing and comparing semantic version strings. It's one of the most downloaded npm packages — a transitive dependency of npm itself and thousands of tools.
npm
200M+ weekly downloads
2 CVEs total
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2015-8855 | 2015 | HIGH | Regular expression DoS in comparator parsing | Fixed 4.3.2 |
| CVE-2022-25883 | 2022 | HIGH | ReDoS in coerce() function | Fixed 7.5.2 |
Current safe version: 7.5.4
# Before
"semver": "7.5.0"
# After
"semver": "7.5.4"
Then run: npm install
Paste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
How do I fix semver if it's a transitive dependency?
semver appears as a transitive dependency in almost every Node.js project. Use npm overrides: {"overrides": {"semver": "7.5.4"}}. PackageFix generates this block automatically.
Is semver ReDoS exploitable in practice?
The coerce() ReDoS requires passing a very long string. In most applications, version strings come from package.json or known sources, not user input. Still worth patching — the upgrade has no breaking changes.