CVE-2015-8857
Code Alteration vulnerability in uglify-js (npm)
What is CVE-2015-8857 About?
Versions of `uglify-js` prior to 2.4.24 are affected by a vulnerability that may cause crafted JavaScript to have altered functionality after minification. This could lead to unexpected behavior or security bypasses in applications. Exploitation is moderately complex, requiring knowledge of `uglify-js`'s minification logic and JavaScript syntax.
Affected Software
- uglify-js
- <2.4.24
- uglifier
- <2.7.2
Technical Details
The vulnerability in uglify-js before version 2.4.24 stems from flaws in its minification process. When certain crafted JavaScript code is processed, the minifier might introduce unintended changes to its functionality. This is not necessarily a bug that causes a crash, but rather one that alters the semantic meaning or execution flow of the code after minification. For example, specific code constructs or obscure JavaScript features might be misinterpreted or optimized in a way that changes their behavior, leading to a different outcome than the original unminified code. This could potentially be exploited by an attacker who submits malicious JavaScript that, when minified by the vulnerable uglify-js, triggers a security bypass, logical error, or other unintended behavior in the application using the minified code.
What is the Impact of CVE-2015-8857?
Successful exploitation may lead to unintended code execution, logical errors in applications, or security bypasses, potentially compromising application integrity or user data.
What is the Exploitability of CVE-2015-8857?
Exploitation of this code alteration vulnerability involves crafting JavaScript code that, when minified by uglify-js version prior to 2.4.24, results in an altered and exploitable functionality. The complexity is moderate, requiring a detailed understanding of both JavaScript language nuances and the internal workings of the uglify-js minifier. No authentication is typically required for the initial submission of the malicious JavaScript, assuming the application allows users to provide code for minification or subsequent execution. Privilege requirements are low at the point of submitting the malicious code. This is generally a remote vulnerability if the minification process is exposed to external input. Special conditions involve the application deploying client-side code that has been minified by a vulnerable uglify-js version, or directly minifying untrusted JavaScript inputs. The likelihood of exploitation increases if the application relies on strict adherence to original code functionality after minification, particularly in security-sensitive areas.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2015-8857?
Available Upgrade Options
- uglifier
- <2.7.2 → Upgrade to 2.7.2
- uglify-js
- <2.4.24 → Upgrade to 2.4.24
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://www.securityfocus.com/bid/96410
- https://nvd.nist.gov/vuln/detail/CVE-2015-8857
- https://github.com/lautis/uglifier/commit/4677bfe38142937ff952f95605bcec4618892c3e
- https://nodesecurity.io/advisories/39
- https://web.archive.org/web/20200227190830/http://www.securityfocus.com/bid/96410
- http://www.openwall.com/lists/oss-security/2016/04/20/11
- https://github.com/mishoo/UglifyJS2/issues/751
- http://www.openwall.com/lists/oss-security/2016/04/20/11
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uglifier/CVE-2015-8857.yml
- https://zyan.scripts.mit.edu/blog/backdooring-js
What are Similar Vulnerabilities to CVE-2015-8857?
Similar Vulnerabilities: CVE-2015-8858 , CVE-2015-8859 , CVE-2013-0570 , CVE-2014-0485 , CVE-2020-7760
