Plattform
nodejs
Komponente
terser
Behoben in
4.8.1
5.14.2
4.8.1
CVE-2022-25858 identifies a Regular Expression Denial of Service (ReDoS) vulnerability within the Terser package, a JavaScript parser, minifier, and terser. This vulnerability allows attackers to trigger excessive CPU consumption, potentially leading to service disruption. The issue affects versions of Terser prior to 4.8.1 and those between 5.0.0 and 5.14.2. Applying the recommended upgrade resolves the vulnerability.
The ReDoS vulnerability in Terser arises from insecure regular expression usage. An attacker can craft malicious JavaScript code that, when processed by Terser, causes the regular expression engine to enter an infinite loop or consume an excessive amount of CPU resources. This can lead to denial of service, rendering applications using the vulnerable Terser version unresponsive. The impact is particularly severe in environments where Terser is used to process user-supplied code or data, as an attacker could remotely trigger the DoS condition. While not directly leading to data exfiltration, the service disruption can have significant operational consequences.
CVE-2022-25858 was publicly disclosed on 2022-07-16. There is no indication of active exploitation campaigns targeting this vulnerability at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, demonstrating the ReDoS condition, increasing the risk of future exploitation.
Applications and services utilizing Terser for JavaScript minification or compression are at risk. This includes web applications, build systems (e.g., webpack, Parcel), and any Node.js projects that depend on Terser directly or indirectly through other packages. Developers using older versions of Terser in production environments are particularly vulnerable.
• nodejs / server:
npm list terser• nodejs / server:
npm audit• nodejs / server: Check package.json for terser versions < 4.8.1 or between 5.0.0 and 5.14.2. • nodejs / server: Monitor CPU usage; spikes correlated with Terser processing could indicate exploitation.
disclosure
Exploit-Status
EPSS
3.56% (88% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2022-25858 is to upgrade the Terser package to version 4.8.1 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing input validation to sanitize JavaScript code before passing it to Terser. This can involve limiting the complexity of regular expressions or restricting the types of characters allowed. As a temporary workaround, consider using a Web Application Firewall (WAF) to filter out potentially malicious JavaScript code. After upgrading, confirm the fix by attempting to process known malicious JavaScript payloads and verifying that CPU usage remains within acceptable limits.
Aktualisieren Sie das Paket terser auf Version 4.8.1 oder höher, oder auf Version 5.14.2 oder höher. Dies behebt die Regular Expression Denial of Service (ReDoS)-Schwachstelle, die durch die unsichere Verwendung von regulären Ausdrücken verursacht wird.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2022-25858 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting Terser versions before 4.8.1 and 5.0.0 - 5.14.2, allowing attackers to cause excessive CPU consumption.
You are affected if your project uses Terser versions prior to 4.8.1 or between 5.0.0 and 5.14.2. Check your package.json file to determine your Terser version.
Upgrade to Terser version 4.8.1 or later. If immediate upgrade is not possible, implement input validation to sanitize JavaScript code before processing.
No active exploitation campaigns have been publicly reported, but public proof-of-concept exploits exist.
Refer to the Terser project's GitHub repository and associated security advisories for details: https://github.com/terser/terser
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.