## CVE-2022-25883: ReDoS Vulnerability in Legacy `semver` Parser Threatens Node.js Supply Chain
A medium-severity vulnerability, CVE-2022-25883, has been detected in a legacy version of the `semver` library, a core semantic versioning parser used by npm and embedded in countless Node.js projects. The flaw, a Regular Expression Denial of Service (ReDoS) in the `new Range()` function, exposes a critical attack vector when processing untrusted user input as version ranges. This vulnerability is not a theoretical concern; it is actively present in version 4.3.2 of `semver`, a package still widely deployed through deep dependency chains.

The vulnerability was discovered within the dependency tree of a project using `pg-promise-4.8.1`. The path traces from the root library down to `pg-5.1.0.tgz`, which ultimately depends on the vulnerable `semver-4.3.2.tgz`. This illustrates the pervasive and often hidden nature of supply chain risk, where a security flaw in a low-level, foundational package can be inherited by higher-level applications, including database clients and web servers, without direct developer awareness.

The primary risk is service disruption. An attacker could craft a malicious version range string that triggers catastrophic backtracking in the vulnerable regular expression, causing the Node.js process to consume 100% CPU and become unresponsive. This creates a direct path for denial-of-service attacks against any application or service that evaluates version ranges from external sources, such as package managers, API endpoints, or configuration files. The fix requires upgrading the `semver` dependency to version 7.5.2 or later, but remediation is complicated by its position as a transitive dependency, necessitating updates to parent packages like `pg`.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2022-25883, ReDoS, Node.js, Supply Chain, npm
- **Credibility**: unverified
- **Published**: 2026-03-31 06:27:11
- **ID**: 42517
- **URL**: https://whisperx.ai/en/intel/42517