ghsa-4wf5-vphf-c2xc
Vulnerability from github
Published
2022-07-16 00:00
Modified
2023-03-13 22:43
Severity
Summary
Terser insecure use of regular expressions leads to ReDoS
Details
The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "terser"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "terser"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.14.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-25858"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-20T01:21:59Z",
"nvd_published_at": "2022-07-15T20:15:00Z",
"severity": "HIGH"
},
"details": "The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.",
"id": "GHSA-4wf5-vphf-c2xc",
"modified": "2023-03-13T22:43:44Z",
"published": "2022-07-16T00:00:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25858"
},
{
"type": "WEB",
"url": "https://github.com/terser/terser/commit/a4da7349fdc92c05094f41d33d06d8cd4e90e76b"
},
{
"type": "WEB",
"url": "https://github.com/terser/terser/commit/d8cc5691be980d663c29cc4d5ce67e852d597012"
},
{
"type": "PACKAGE",
"url": "https://github.com/terser/terser"
},
{
"type": "WEB",
"url": "https://github.com/terser/terser/blob/master/lib/compress/evaluate.js%23L135"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2949722"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-TERSER-2806366"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Terser insecure use of regular expressions leads to ReDoS"
}
Loading...