Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00d2Y1LXZwaGYtYzJ4Y84AAtaQ
Terser insecure use of regular expressions leads to ReDoS
The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
Permalink: https://github.com/advisories/GHSA-4wf5-vphf-c2xcJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00d2Y1LXZwaGYtYzJ4Y84AAtaQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-4wf5-vphf-c2xc, CVE-2022-25858
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-25858
- https://github.com/terser/terser/commit/a4da7349fdc92c05094f41d33d06d8cd4e90e76b
- https://github.com/terser/terser/commit/d8cc5691be980d663c29cc4d5ce67e852d597012
- https://github.com/terser/terser/blob/master/lib/compress/evaluate.js%23L135
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2949722
- https://snyk.io/vuln/SNYK-JS-TERSER-2806366
- https://github.com/advisories/GHSA-4wf5-vphf-c2xc
Blast Radius: 46.9
Affected Packages
npm:terser
Dependent packages: 9,173Dependent repositories: 1,771,735
Downloads: 132,630,241 last month
Affected Version Ranges: >= 5.0.0, < 5.14.2, < 4.8.1
Fixed in: 5.14.2, 4.8.1
All affected versions: 0.0.1, 1.0.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.7.5, 3.7.6, 3.7.7, 3.7.8, 3.8.0, 3.8.1, 3.8.2, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.10.0, 3.10.1, 3.10.2, 3.10.3, 3.10.4, 3.10.5, 3.10.6, 3.10.7, 3.10.8, 3.10.9, 3.10.10, 3.10.11, 3.10.12, 3.10.13, 3.11.0, 3.12.0, 3.13.0, 3.13.1, 3.14.0, 3.14.1, 3.16.0, 3.16.1, 3.17.0, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.2.0, 4.2.1, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 4.3.8, 4.3.9, 4.3.10, 4.3.11, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.5.0, 4.5.1, 4.6.0, 4.6.1, 4.6.2, 4.6.3, 4.6.4, 4.6.5, 4.6.6, 4.6.7, 4.6.8, 4.6.9, 4.6.10, 4.6.11, 4.6.12, 4.6.13, 4.7.0, 4.8.0, 5.0.0, 5.1.0, 5.2.0, 5.2.1, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.3.7, 5.3.8, 5.4.0, 5.5.0, 5.5.1, 5.6.0, 5.6.1, 5.7.0, 5.7.1, 5.7.2, 5.8.0, 5.9.0, 5.10.0, 5.11.0, 5.12.0, 5.12.1, 5.13.0, 5.13.1, 5.14.0, 5.14.1
All unaffected versions: 4.8.1, 5.14.2, 5.15.0, 5.15.1, 5.16.0, 5.16.1, 5.16.2, 5.16.3, 5.16.4, 5.16.5, 5.16.6, 5.16.8, 5.16.9, 5.17.0, 5.17.1, 5.17.2, 5.17.3, 5.17.4, 5.17.5, 5.17.6, 5.17.7, 5.18.0, 5.18.1, 5.18.2, 5.19.0, 5.19.1, 5.19.2, 5.19.3, 5.19.4, 5.20.0, 5.21.0, 5.22.0, 5.23.0, 5.24.0, 5.25.0, 5.26.0, 5.27.0, 5.27.1, 5.27.2, 5.28.0, 5.28.1, 5.29.0, 5.29.1, 5.29.2, 5.30.0, 5.30.1, 5.30.2, 5.30.3, 5.30.4, 5.31.0