CVE-2015-8855 Nodejs CVE debrief

Who should care

Owners and maintainers of Node.js applications that depend on semver, especially if version strings are accepted from untrusted input. Security teams, SREs, and dependency managers should also review direct and transitive use of the affected package.

Technical summary

NVD describes the flaw as a regular expression denial of service (ReDoS) in semver versions before 4.3.2. The impact is availability-only: no confidentiality or integrity impact is recorded, but crafted long version strings can consume CPU and degrade service. The NVD CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, which matches a remotely triggerable availability problem.

Defensive priority

High

Recommended defensive actions

• Upgrade semver to 4.3.2 or later wherever it is directly or transitively used.
• Audit Node.js applications and build pipelines for semver dependencies and lockfile pinning.
• Test any inputs that pass version strings into semver parsing or comparison paths, and reject unexpectedly long or malformed values.
• Monitor for abnormal CPU spikes or request latency in services that process version strings.
• If immediate upgrading is not possible, reduce exposure by limiting untrusted access to version-parsing endpoints and constraining input size.

Evidence notes

Primary source text states that semver before 4.3.2 for Node.js allows attackers to cause denial of service via a long version string, described as a ReDoS. NVD assigns CVSS 3.0 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H and lists CWE-399. The supplied references include an Openwall oss-security mailing list post, a SecurityFocus VDB entry, and a NodeSecurity advisory. The NVD CPE mapping in the corpus is broader than the package-level description, so the semver version statement should be treated as the most specific affected-version guidance.

Official resources