CVE-2022-25883: 
JavaScript vulnerability analysis and mitigation

CVE-2022-25883 affects versions of the package semver before 7.5.2, specifically versions 7.0.0-7.5.1, 6.0.0-6.3.0, and versions prior to 5.7.2. The vulnerability was discovered on January 25, 2023, and publicly disclosed on June 20, 2023. This security issue affects the semver package, which is a semantic version parser widely used by npm (Snyk Advisory).

The vulnerability is classified as a Regular Expression Denial of Service (ReDoS) that occurs in the function new Range when untrusted user data is provided as a range. The issue has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is tracked under CWE-1333 (Inefficient Regular Expression Complexity) (NVD).

Successful exploitation of this vulnerability can lead to a Denial of Service (DoS) condition through excessive CPU consumption. When processing maliciously crafted input, the regular expression processing can enter a catastrophic backtracking state, causing the service to become unresponsive (Snyk Advisory).

The recommended mitigation is to upgrade semver to version 5.7.2, 6.3.1, 7.5.2 or higher. The fix was implemented through improved handling of whitespace in the regular expressions used by the package (GitHub PR).

The vulnerability has received significant attention from the developer community, particularly due to semver's widespread use in the npm ecosystem. There were numerous requests from developers to backport the fix to older versions (5.x and 6.x) due to dependency constraints, though maintainers initially indicated no plans to backport due to technical debt in older versions (GitHub PR).