CVE-2021-43307: Regular expression denial of service in semver-regex

June 2, 2022 (updated July 18, 2023)

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method

References

github.com/advisories/GHSA-4x5v-gmq8-25ch
github.com/sindresorhus/semver-regex/commit/d8ba39a528c1027c43ab23f12eec28ca4d40dd0c
nvd.nist.gov/vuln/detail/CVE-2021-43307
research.jfrog.com/vulnerabilities/semver-regex-redos-xray-211349/

Detect and mitigate CVE-2021-43307 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →