[GHSA-x6fg-f45m-jf5q] Regular Expression Denial of Service in semver

[ljharb]

Updates

• Affected products

Comments
The affected version range for this advisory should be narrowed. Versions 1.0.0 through 1.0.14 of semver are NOT vulnerable to CVE-2015-8855.

The vulnerability is a Regular Expression Denial of Service (ReDoS) caused by \s* whitespace quantifiers in the version parsing regex. In semver 1.0.x, the main regex pattern is:
[v=]*([0-9]+).([0-9]+).([0-9]+)
This regex has NO whitespace quantifiers and therefore cannot exhibit catastrophic backtracking on whitespace-padded inputs.

In semver 1.1.0, the regex was changed to:
\s*[v=]\s([0-9]+).([0-9]+).([0-9]+)
The added \s* quantifiers create the backtracking vulnerability when combined with the alternation in range parsing.

Behavioral testing confirms this:

• semver 1.0.14: validRange(long_whitespace_payload) completes in <3ms
• semver 1.1.0: validRange(long_whitespace_payload) takes >1600ms with exponential growth

The correct affected range should be >= 1.1.0, < 4.3.2 (not >= 0, < 4.3.2).

[JonathanLEvans]

Could you provide the commits to where the changes are made?

[Copilot]

Pull request overview

Narrows the affected version range for GHSA-x6fg-f45m-jf5q (CVE-2015-8855) to reflect that semver 1.0.x is not vulnerable to the ReDoS issue.

Changes:

• Update the advisory’s affected range to start at semver 1.1.0 instead of 0
• Refresh the advisory’s modified timestamp to reflect the metadata update

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[ljharb]

whoops, the actual commit that introduced it is npm/node-semver@5c4c9f6, between v1.0.3 and v1.0.5 - i'll close this and reopen a proper one.