CVE-2022-25883 — semver ReDoS HIGH
🔴 CISA KEV
npm
CVSS 7.5 · semver < 7.5.2 → 7.5.4
The semver package's coerce() function uses a regular expression vulnerable to catastrophic backtracking. An attacker can send a crafted version string that causes the regex engine to spin for seconds or minutes, creating a denial-of-service condition in any application that calls semver.coerce() with user input.
What's affected
| Package | Ecosystem | Vulnerable | Safe version | Fix guide |
|---|---|---|---|---|
| semver | npm | < 7.5.2 | 7.5.4 | Full fix guide → |
How to fix CVE-2022-25883
- Update semver to 7.5.2 or later (7.5.4 recommended)
- Run npm install
- Avoid calling semver.coerce() with untrusted input
✓ Verify with PackageFix
Paste your manifest into PackageFix to confirm the fix was applied. If CVE-2022-25883 no longer appears in the CVE table, you're clean.
Paste your manifest — get back a fixed version with all CVEs patched in seconds.
Open PackageFix →No signup · No CLI · No GitHub · Runs 100% in your browser
Frequently Asked Questions
What is ReDoS?
Regular Expression Denial of Service — a crafted input string causes a regex to backtrack exponentially, consuming CPU and hanging the process. Even a single crafted request can take down a Node.js server.
Is semver a transitive dependency?
Yes — semver is one of the most widely installed npm packages. It is a transitive dependency of npm itself, webpack, and thousands of other packages. Use npm overrides to force the safe version transitively.
How do I fix semver if it's transitive?
Add to package.json: {"overrides": {"semver": "7.5.4"}}. PackageFix generates this automatically when it detects a transitive semver vulnerability.