Regular Expression Denial of Service (DoS)

Affecting uglify-js package, versions <2.6.0

medium severity

Overview

The parse() function in the uglify-js package prior to version 2.6.0 is vulnerable to regular expression denial of service (ReDoS) attacks when long inputs of certain patterns are processed.

Details

"The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time." 1

Remediation

Upgrade to version 2.6.0 or greater. If a direct dependency update is not possible, use snyk wizard to patch this vulnerability.

References

Snyk patch available for versions:

Credit
Adam Baldwin
CWE
CWE-400
Snyk ID
npm:uglify-js:20151024
Disclosed
24 Oct, 2015
Published
06 Nov, 2015

Do your applications use this vulnerable package?