CVE-2022-25858
Regular Expression Denial of Service (ReDoS) vulnerability in terser
What is CVE-2022-25858 About?
This vulnerability is a Regular Expression Denial of Service (ReDoS) affecting `terser` versions before 4.8.1, and from 5.0.0 before 5.14.2. Insecure regular expression usage can lead to excessive processing and a Denial of Service when specific input is provided. This is a low-complexity attack to execute once the vulnerable regex is identified.
Affected Software
- terser
- <4.8.1
- >5.0.0, <5.14.2
Technical Details
The `terser` package, in versions prior to 4.8.1 and within the range of 5.0.0 up to, but not including, 5.14.2, is vulnerable to a Regular Expression Denial of Service (ReDoS). This flaw stems from the insecure usage of regular expressions within the package's code. When a specifically crafted input string (often a malformed or complex JavaScript code snippet for minification) is processed by these problematic regular expressions, they can exhibit catastrophic backtracking. This excessive backtracking consumes an inordinate amount of CPU resources, leading to the application becoming unresponsive or crashing. The attack vector involves providing a pathological input that triggers this inefficient regex behavior, causing a self-induced denial of service for any process attempting to use `terser` on the malicious input.
What is the Impact of CVE-2022-25858?
Successful exploitation may allow attackers to cause the application using the `terser` package to become unresponsive or crash, leading to a denial of service for legitimate operations.
What is the Exploitability of CVE-2022-25858?
Exploitation involves crafting a specific input that triggers the ReDoS vulnerability in `terser`, which is of low complexity. No authentication or special privileges are required, as the attack targets the core functionality of the `terser` package. Access can be remote if the application processes untrusted, user-supplied code (e.g., client-side JavaScript for minification) using the vulnerable `terser` versions. The prerequisite is that the application uses `terser` for code processing. Risk factors are increased when `terser` is used in a server-side context to process arbitrary, untrusted code or user-generated content without prior validation or sanitization, making it vulnerable to such input.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-25858?
About the Fix from Resolved Security
The patch mitigates CVE-2022-25858 by introducing a regexp_is_safe check to ensure only simple, safe regular expressions are evaluated and optimized, preventing creation of potentially vulnerable regex patterns. This fixes the vulnerability by avoiding evaluation (which could lead to ReDoS) for complex or unsafe patterns, thus protecting against regular expression-based Denial of Service attacks.
Available Upgrade Options
- terser
- <4.8.1 → Upgrade to 4.8.1
- terser
- >5.0.0, <5.14.2 → Upgrade to 5.14.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/terser/terser/blob/master/lib/compress/evaluate.js%23L135
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2949722
- https://github.com/terser/terser/commit/a4da7349fdc92c05094f41d33d06d8cd4e90e76b
- https://osv.dev/vulnerability/GHSA-4wf5-vphf-c2xc
- https://github.com/terser/terser/commit/d8cc5691be980d663c29cc4d5ce67e852d597012
- https://snyk.io/vuln/SNYK-JS-TERSER-2806366
- https://github.com/terser/terser/blob/master/lib/compress/evaluate.js%23L135
- https://nvd.nist.gov/vuln/detail/CVE-2022-25858
- https://github.com/terser/terser/commit/a4da7349fdc92c05094f41d33d06d8cd4e90e76b
- https://github.com/terser/terser/commit/d8cc5691be980d663c29cc4d5ce67e852d597012
What are Similar Vulnerabilities to CVE-2022-25858?
Similar Vulnerabilities: CVE-2022-3517 , CVE-2022-24434 , CVE-2022-22970 , CVE-2023-28155 , CVE-2023-26116
