Regular Expression Denial of Service (DoS)
Affecting uglify-js package, versions <2.6.0
parse() function in the
uglify-js package prior to version 2.6.0 is vulnerable to regular expression denial of service (ReDoS) attacks when long inputs of certain patterns are processed.
"The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time." 1
Upgrade to version 2.6.0 or greater.
If a direct dependency update is not possible, use
snyk wizard to patch this vulnerability.
Snyk patch available for versions:
- Adam Baldwin
- Snyk ID
- 24 Oct, 2015
- 06 Nov, 2015