Versions 4.3.1 and earlier of semver are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.

Recommendation

Update to version 4.3.2 or later

References

• https://nvd.nist.gov/vuln/detail/CVE-2015-8855
• GHSA-x6fg-f45m-jf5q
• https://www.npmjs.com/advisories/31
• https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS
• http://www.openwall.com/lists/oss-security/2016/04/20/11
• http://www.securityfocus.com/bid/86957
• github/advisory-database#7102
• npm/node-semver@5c4c9f6
• npm/node-semver@c80180d