CVE-2015-8855

High

The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka…

mitre·CWE-399·Published 2017-01-23

CVSS

7.5

EPSS

0.06

KEV

Exploits

cve.orgen

188 chars

The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."

NVDen

188 chars

The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."

OSV.deven

210 chars

Versions 4.3.1 and earlier of `semver` are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed. ## Recommendation Update to version 4.3.2 or later

GHSAen

210 chars

NVDes

268 chars

El paquete semver en versiones anteriores a 4.3.2 para Node.js permite a atacantes provocar una denegación de servicio (consumo de CPU) a través de una cadena de versión larga, vulnerabilidad también conocida como "denegación de servicio de expresión regular (ReDoS)".

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
2.0	Primary	NVD	7.8	10.0	6.9	AV:N/AC:L/Au:N/C:N/I:N/A:C
3.0	Primary	NVD	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H