CVE-2022-25883: ReDoS Vulnerability in Legacy `semver` Package Puts `pg` and `pg-promise` Dependencies at Risk

A medium-severity Regular Expression Denial of Service (ReDoS) vulnerability, tracked as CVE-2022-25883, has been detected in a legacy version of the `semver` package, a core semantic versioning parser used by npm. The flaw, present in versions before 7.5.2, resides in the `new Range()` function and can be triggered when processing untrusted user data, potentially causing a service to become unresponsive. This specific instance involves `semver-4.3.2.tgz`, a version that is now over eight years old, highlighting the persistent risk of deeply nested, outdated dependencies in modern software supply chains.

The vulnerability was found within the dependency tree of the popular PostgreSQL client `pg` (version 5.1.0), which is itself a dependency of `pg-promise` (version 4.8.1). The path to the vulnerable file is `/node_modules/pg/node_modules/semver/package.json`. This nested inclusion demonstrates how a critical, widely-used database library can inadvertently inherit a security flaw from a low-level utility package, creating a hidden attack surface for applications relying on these tools for database connectivity.

The presence of this dated vulnerability in active dependency chains underscores a systemic challenge in open-source maintenance. While the direct risk is rated as medium, the exploit path—processing malicious version range strings—could be leveraged against any application that uses the affected `pg` library to handle user-inputted version data. This case serves as a concrete warning about the cascading security implications of unpatched transitive dependencies and the operational pressure to maintain comprehensive software bill of materials (SBOM) and continuous dependency updates.