Platform
nodejs
Component
terser
Fixed in
4.8.1
5.14.2
4.8.1
CVE-2022-25858 describes a Regular Expression Denial of Service (ReDoS) vulnerability discovered in the Terser JavaScript parser and compressor library. This vulnerability allows attackers to trigger excessive CPU consumption, potentially leading to service disruption. The issue affects versions prior to 4.8.1 and versions between 5.0.0 and 5.14.2. A fix has been released in version 4.8.1.
The ReDoS vulnerability in Terser arises from insecure regular expression usage within the library. An attacker can craft malicious JavaScript code that, when processed by Terser, triggers a computationally expensive backtracking process within the regular expression engine. This results in a denial of service, as the server becomes overwhelmed with CPU usage attempting to process the malicious input. The blast radius extends to any application utilizing Terser for minification or compression, potentially impacting web servers, build pipelines, and other Node.js-based systems. While not directly exploitable for data exfiltration, the service disruption can be significant.
CVE-2022-25858 was publicly disclosed on 2022-07-16. No known active exploitation campaigns have been reported at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, demonstrating the feasibility of triggering the ReDoS condition.
Exploit Status
EPSS
3.56% (88% percentile)
CVSS Vector
The primary mitigation for CVE-2022-25858 is to upgrade to Terser version 4.8.1 or later. If upgrading is not immediately feasible, consider implementing input validation to sanitize JavaScript code before passing it to Terser. Web application firewalls (WAFs) configured to detect and block malicious regular expression patterns might offer a temporary layer of protection. Monitor CPU usage on servers running applications using Terser; sustained high CPU utilization could indicate an ongoing attack. After upgrading, confirm the fix by attempting to process known malicious JavaScript code that triggers the ReDoS vulnerability.
Update the terser package to version 4.8.1 or higher, or to version 5.14.2 or higher. This corrects the Regular Expression Denial of Service (ReDoS) vulnerability caused by insecure use of regular expressions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2022-25858 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting Terser versions before 4.8.1 and 5.0.0 - 5.14.2, allowing attackers to cause excessive CPU consumption.
You are affected if your project uses Terser versions prior to 4.8.1 or between 5.0.0 and 5.14.2. Check your package.json file to determine your Terser version.
Upgrade to Terser version 4.8.1 or later. If immediate upgrade is not possible, implement input validation to sanitize JavaScript code before processing.
No active exploitation campaigns have been publicly reported, but public proof-of-concept exploits exist.
Refer to the Terser project's GitHub repository and associated security advisories for details: https://github.com/terser/terser
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.