Platform
nodejs
Component
uglify-js
Fixed in
2.6.0
CVE-2015-8858 describes a Denial of Service (DoS) vulnerability affecting the uglify-js Node.js package. This vulnerability arises from a flawed regular expression within the parse() method, which can be exploited by providing specially crafted malicious inputs. Attackers can leverage this to cause significant performance degradation, potentially leading to service unavailability. The vulnerability impacts versions of uglify-js prior to 2.6.0, and a fix is available in version 2.6.0.
An attacker can exploit this vulnerability by sending a malicious input string to the parse() method of uglify-js. The flawed regular expression processing leads to excessive CPU consumption and memory allocation, resulting in a denial of service. The impact can range from slow response times to complete service outages, depending on the size and complexity of the malicious input. The provided proof-of-concept demonstrates the vulnerability's impact, showing a significant increase in execution time with larger input strings. This vulnerability could be particularly impactful in environments where uglify-js is used as part of a build pipeline or in production code, as an attacker could potentially disrupt the entire process.
CVE-2015-8858 was publicly disclosed in 2015, with the CVE record published on October 24, 2017. While no active exploitation campaigns have been publicly reported, the availability of a simple proof-of-concept makes it potentially attractive to attackers. The vulnerability is not currently listed on the CISA KEV catalog. The ease of exploitation, combined with the widespread use of uglify-js in Node.js projects, warrants careful attention and prompt remediation.
Exploit Status
EPSS
0.90% (76% percentile)
CVSS Vector
The primary mitigation for CVE-2015-8858 is to upgrade to uglify-js version 2.6.0 or later, which includes a fix for the vulnerable regular expression. If upgrading is not immediately feasible, consider implementing input validation to sanitize data passed to the parse() method. This could involve limiting the length or complexity of input strings. Additionally, deploying a Web Application Firewall (WAF) with rules to detect and block malicious input patterns can provide an additional layer of protection. Monitoring CPU usage and memory consumption can help detect potential exploitation attempts. After upgrading, confirm the fix by attempting to parse a known malicious input string and verifying that it no longer causes excessive resource consumption.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2015-8858 is a Denial of Service vulnerability in the uglify-js Node.js package, allowing attackers to cause performance degradation by exploiting a flawed regular expression in the parse() method.
You are affected if you are using a version of uglify-js prior to 2.6.0. Check your project dependencies and update if necessary.
Upgrade to version 2.6.0 or later of uglify-js. Consider implementing input validation as an additional precaution.
While no active exploitation campaigns have been publicly reported, the availability of a proof-of-concept makes it potentially exploitable.
Refer to the official npm advisory and the CVE record for more details: https://nvd.nist.gov/vuln/detail/CVE-2015-8858
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.