Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
github.com/advisories/GHSA-c2qf-rxjj-qqgw
github.com/npm/node-semver/blob/main/classes/range.js#L97-L104
github.com/npm/node-semver/blob/main/internal/re.js#L138
github.com/npm/node-semver/blob/main/internal/re.js#L160
github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0
github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441
github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c
github.com/npm/node-semver/pull/564
github.com/npm/node-semver/pull/585
github.com/npm/node-semver/pull/593
nvd.nist.gov/vuln/detail/CVE-2022-25883
security.snyk.io/vuln/SNYK-JS-SEMVER-3247795