CVE-2015-8858
Regular Expression Denial of Service (ReDoS) vulnerability in uglify-js (npm)
What is CVE-2015-8858 About?
Versions of `uglify-js` prior to 2.6.0 are vulnerable to a Regular Expression Denial of Service (ReDoS) when malicious inputs are passed into the `parse()` method. This occurs due to inefficient regular expression processing, which can lead to excessive CPU consumption and application unresponsiveness. Exploitation is relatively easy by crafting specific string inputs.
Affected Software
Technical Details
The vulnerability in uglify-js before version 2.6.0 is a Regular Expression Denial of Service (ReDoS) that occurs in the parse() method. When the parse() method is invoked with a specially crafted, lengthy string containing patterns that trigger catastrophic backtracking in JavaScript's regular expression engine (e.g., repeating groups with quantifiers that can match the same characters in multiple ways), it leads to an exponential increase in processing time. The provided proof-of-concept demonstrates this by feeding a progressively longer string of '1's followed by '.1ee7' into the parser. This input causes the regular expression to evaluate an extremely large number of paths, consuming significant CPU resources and rendering the application unresponsive, effectively achieving a denial of service.
What is the Impact of CVE-2015-8858?
Successful exploitation may allow attackers to cause a denial of service, making the application or service unresponsive and unavailable to legitimate users.
What is the Exploitability of CVE-2015-8858?
Exploitation of this ReDoS vulnerability involves crafting a malicious string input that, when processed by the parse() method of uglify-js, triggers excessive backtracking in a regular expression. The complexity is low, as the attacker only needs to generate and supply a specific pattern of characters. No authentication or specific privileges are required, provided the attacker can submit input that is eventually processed by the vulnerable parse() method. This is typically a remote vulnerability if the uglify-js utility or library is used to parse untrusted, user-supplied JavaScript code or data. Special conditions include the application processing untrusted content with vulnerable versions of uglify-js. The likelihood of exploitation increases if uglify-js is exposed to external input, such as in online code minifiers or web applications that process user-submitted JavaScript.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2015-8858?
Available Upgrade Options
- uglify-js
- <2.6.0 → Upgrade to 2.6.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-c9f4-xj24-8jqx
- http://www.openwall.com/lists/oss-security/2016/04/20/11
- https://nvd.nist.gov/vuln/detail/CVE-2015-8858
- http://www.openwall.com/lists/oss-security/2016/04/20/11
- http://www.securityfocus.com/bid/96409
- https://github.com/advisories/GHSA-c9f4-xj24-8jqx
- https://www.npmjs.com/advisories/48
- https://nodesecurity.io/advisories/48
- http://www.securityfocus.com/bid/96409
What are Similar Vulnerabilities to CVE-2015-8858?
Similar Vulnerabilities: CVE-2015-8857 , CVE-2015-8859 , CVE-2015-8860 , CVE-2015-8861 , CVE-2015-8862
