CVE-2015-8855

CWE-399CWE-400Uncontrolled Resource ConsumptionCWE-133311 documents8 sources
Severity
7.5HIGH
EPSS
1.1%
top 22.04%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Nodejs Node.js
Timeline
PublishedJan 23
Latest updateMar 15

Description

The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

Debiannode-semver< 5.3.0-1+3
npmsemver1.0.44.3.2
NVDnodejs/node.js4.3.1

Patches

Patch: nodesecurity.ioPatch: nodesecurity.io

🔴Vulnerability Details

4
OSV
Regular Expression Denial of Service in semver2017-10-24
GHSA
Regular Expression Denial of Service in semver2017-10-24
OSV
CVE-2015-8855: The semver package before 42017-01-23
CVEList
CVE-2015-8855: The semver package before 42017-01-23

📋Vendor Advisories

3
Ubuntu
semver vulnerability2021-03-15
Red Hat
nodejs-semver: npm Regular Expression Denial of Service during package versions parsing2015-04-03
Debian
CVE-2015-8855: node-semver - The semver package before 4.3.2 for Node.js allows attackers to cause a denial o...2015

💬Community

3
Bugzilla
CVE-2015-8855 nodejs-semver: npm Regular Expression Denial of Service during package versions parsing [fedora-all]2015-04-07
Bugzilla
CVE-2015-8855 nodejs-semver: npm Regular Expression Denial of Service during package versions parsing [epel-all]2015-04-07
Bugzilla
CVE-2015-8855 nodejs-semver: npm Regular Expression Denial of Service during package versions parsing2015-04-07
CVE-2015-8855 (HIGH CVSS 7.5) | The semver package before 4.3.2 for | cvebase.io