CVE-2021-43307: 
JavaScript vulnerability analysis and mitigation

An exponential ReDoS (Regular Expression Denial of Service) vulnerability was discovered in the semver-regex npm package, identified as CVE-2021-43307. The vulnerability was discovered by Denys Vozniuk of the JFrog Security Research Team and was published on May 30, 2022. The vulnerability affects semver-regex versions up to 3.1.3 and versions 4.0.0 through 4.0.2 (JFrog Research).

The vulnerability occurs when an attacker can supply arbitrary input to the test() method of the semver-regex package. The issue is classified as a Regular Expression Denial of Service (ReDoS) with a CVSS v3.1 score of 7.5 (HIGH) and CVSS v2.0 score of 5.0 (MEDIUM). A proof of concept for triggering the vulnerability involves using the pattern '0.0.1-' + '-.--'.repeat(i) + ' ' (JFrog Research, NVD).

When successfully exploited, this vulnerability can lead to a denial of service condition through CPU consumption caused by the exponential regular expression processing. This can potentially affect the availability of services using the vulnerable package (NVD).

The vulnerability has been fixed in versions 3.1.4 and 4.0.3 of the semver-regex package. Users should upgrade to these or later versions to mitigate the vulnerability. No alternative mitigations are provided for this issue (JFrog Research).