CVE-2022-25883 – Regular Expression Denial of Service (ReDoS)

Severity: None2025-12-19

Security Advisories

Abstract

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

The Oxygen products incorporate the semver package as a third‑party library. This advisory was opened to address the potential impact of this third‑party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Content Fusion v7.0 and olderNone N/A

Mitigation

None

Detail

CVE-2022-25883

Severity: High

CVSS Score: 7.5

Versions of the semver package prior to 7.5.2 are vulnerable to a Regular Expression Denial of Service (ReDoS) condition in the new Range function when it processes untrusted user input as a range. An attacker could potentially trigger excessive backtracking and CPU consumption by supplying crafted input to code paths that pass such input into semver’s range parsing.

We reviewed usage of semver in our code and dependencies. The flagged instances occur in contexts that do not process untrusted user input for range parsing. Based on this, we concluded there is no exploitable ReDoS path in supported product builds.

List of Security Advisories

Video Tutorials
Upcoming Events
webinar
Vibe Authoring with Oxygen AI Positron 8.0
January 21, 2026

Products

Features

Shop

Resources

Support

Company

© 2002-2025 SyncRO Soft SRL. All rights reserved.

This website was created & generated with <oXygen/>®XML Editor