Plattform
nodejs
Komponente
uglify-js
Behoben in
2.6.0
CVE-2015-8858 describes a Denial of Service (DoS) vulnerability affecting the uglify-js Node.js package. This vulnerability arises from a flawed regular expression within the parse() method, which can be exploited by providing specially crafted malicious inputs. Attackers can leverage this to cause significant performance degradation, potentially leading to service unavailability. The vulnerability impacts versions of uglify-js prior to 2.6.0, and a fix is available in version 2.6.0.
An attacker can trigger this DoS vulnerability by crafting malicious input and sending it to the parse() method of an affected uglify-js instance. The flawed regular expression processing consumes excessive CPU resources, leading to a denial of service. This can effectively halt the execution of applications relying on uglify-js for JavaScript minification, impacting website availability and functionality. The impact is particularly severe in environments where uglify-js is used as part of a build pipeline or deployed in production, as an attacker could remotely disrupt the service without requiring authentication.
CVE-2015-8858 is not currently listed on the CISA KEV catalog. A public proof-of-concept (PoC) demonstrating the vulnerability exists, making exploitation relatively straightforward. The vulnerability's impact is primarily denial of service, but the ease of exploitation warrants attention. The vulnerability was publicly disclosed in 2017.
Node.js developers and DevOps teams using uglify-js in their projects are at risk. Specifically, projects using older versions of uglify-js (prior to 2.6.0) and those that do not have robust input validation mechanisms are particularly vulnerable. Applications that rely on uglify-js for minifying JavaScript code in production environments are also at increased risk.
• nodejs / server:
ps aux | grep uglify-js | grep -v grep | awk '{print $2}' | xargs -n 1 pmap -x | grep -q 'regex' # Check for excessive regex usage• nodejs / server:
journalctl -u nodejs | grep -i 'uglify-js' | grep -i 'error' # Look for errors related to uglify-js• generic web:
Inspect Node.js application logs for unusual CPU spikes or memory usage correlated with uglify-js processing.
discovery
disclosure
patch
Exploit-Status
EPSS
0.90% (76% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2015-8858 is to upgrade to uglify-js version 2.6.0 or later, which contains the fix for the regular expression vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation to sanitize data passed to the parse() method. While not a complete solution, this can reduce the likelihood of exploitation. Monitor CPU usage on systems running uglify-js for unusual spikes, which could indicate an attempted attack. After upgrading, confirm the fix by attempting to parse a known malicious input string and verifying that CPU usage remains within acceptable limits.
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2015-8858 is a Denial of Service vulnerability in the uglify-js Node.js package, allowing attackers to cause performance degradation by exploiting a flawed regular expression in the parse() method.
You are affected if you are using a version of uglify-js prior to 2.6.0. Check your project dependencies and update if necessary.
Upgrade to version 2.6.0 or later of uglify-js. Consider implementing input validation as an additional precaution.
While no active exploitation campaigns have been publicly reported, the availability of a proof-of-concept makes it potentially exploitable.
Refer to the official npm advisory and the CVE record for more details: https://nvd.nist.gov/vuln/detail/CVE-2015-8858
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.