Openvidu-angular has security vulnerability from semver


We’re using openvidu-angular and openvidu-browser (version 2.23.0) in Angular 14 project.
I would like to know how we can fix the security vulnerabilities that are coming from vulnerable versions of semver in openvidu library.

Here’s the npm audit report:

# npm audit report

semver  7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service -
fix available via `npm audit fix --force`
Will install openvidu-browser@2.20.0, which is a breaking change
  openvidu-browser  >=2.21.0-beta1
  Depends on vulnerable versions of semver
    openvidu-angular  >=2.21.0
    Depends on vulnerable versions of openvidu-browser

Thank you for reporting.

I’ve seen the CVE. Looks like the DoS is possible with untrusted user data. semver is only used to check backend and frontend versions, which are fixed and well known string constants.

Also, this is more feasible when semver is used in the backend side, not the case of openvidu-browser which is mainly used in the frontend.

You can rest assured :slight_smile: