@angular-architects/module-federation version 15.0.3 security issue caused by semver 7.5.0 #344
Comments
|
this same problem with 16.0.4 
|
|
@manfredsteyer Can I ask you to deal with this? |
|
@manfredsteyer I would appreciate too if you could address issues related to CVE-2023-26115 and CVE-2022-25883. |
|
@manfredsteyer Any plan to fix it ? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Please ASAP upgrade semver to 7.5.2
There is vulnerability with CVE CVSS 3 severity of high/critical 7.5 level:
The semver package is vulnerable to Regular expression Denial of Service (ReDoS). Multiple functions and files listed below, fail to properly sanitize the range argument being provided by the user. An attacker, in some cases, can provide crafted inputs containing multiple whitespaces in the range, which when parsed by the package causes the regex engine to take longer, leading to a Denial of Service (DoS) condition.
More information is available in https://nvd.nist.gov/vuln/detail/CVE-2022-25883
The text was updated successfully, but these errors were encountered: