uglify-js 2.4.16 vulnerabilities

Known vulnerabilities in the uglify-js package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Regular Expression Denial of Service (ReDoS) uglify-js is a JavaScript parser, minifier, compressor and beautifier toolkit. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `string_template` and the `decode_template` functions. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `uglify-js` to version 3.14.3 or higher.	<3.14.3
M Regular Expression Denial of Service (ReDoS) The `parse()` function in the `uglify-js` package prior to version 2.6.0 is vulnerable to regular expression denial of service (ReDoS) attacks when long inputs of certain patterns are processed. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade to version `2.6.0` or greater. If a direct dependency update is not possible, use `snyk wizard` to patch this vulnerability.	<2.6.0
H Improper minification of non-boolean comparisons `uglify-js` is a JavaScript parser, minifier, compressor and beautifier toolkit. Tom MacWright discovered that UglifyJS versions 2.4.23 and earlier are affected by a vulnerability which allows a specially crafted Javascript file to have altered functionality after minification. This bug was demonstrated by Yan to allow potentially malicious code to be hidden within secure code, activated by minification. Details In Boolean algebra, DeMorgan's laws describe the relationships between conjunctions (`&&`), disjunctions (`\|\|`) and negations (`!`). In Javascript form, they state that: `!(a && b) === (!a) \|\| (!b) !(a \|\| b) === (!a) && (!b)` The law does not hold true when one of the values is not a boolean however. Vulnerable versions of UglifyJS do not account for this restriction, and erroneously apply the laws to a statement if it can be reduced in length by it. Consider this authentication function: `function isTokenValid(user) { var timeLeft = !!config && // config object exists !!user.token && // user object has a token !user.token.invalidated && // token is not explicitly invalidated !config.uninitialized && // config is initialized !config.ignoreTimestamps && // don't ignore timestamps getTimeLeft(user.token.expiry); // > 0 if expiration is in the future // The token must not be expired return timeLeft > 0; } function getTimeLeft(expiry) { return expiry - getSystemTime(); }` When minified with a vulnerable version of UglifyJS, it will produce the following insecure output, where a token will never expire: ( Formatted for readability ) `function isTokenValid(user) { var timeLeft = !( // negation !config // config object does not exist \|\| !user.token // user object does not have a token \|\| user.token.invalidated // token is explicitly invalidated \|\| config.uninitialized // config isn't initialized \|\| config.ignoreTimestamps // ignore timestamps \|\| !getTimeLeft(user.token.expiry) // > 0 if expiration is in the future ); return timeLeft > 0 } function getTimeLeft(expiry) { return expiry - getSystemTime() }` How to fix Improper minification of non-boolean comparisons? Upgrade UglifyJS to version `2.4.24` or higher.	>=2.2.0 <2.4.24

Vulnerability

Vulnerable Version

Regular Expression Denial of Service (ReDoS)

uglify-js is a JavaScript parser, minifier, compressor and beautifier toolkit.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the string_template and the decode_template functions.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade uglify-js to version 3.14.3 or higher.

<3.14.3

Regular Expression Denial of Service (ReDoS)

The parse() function in the uglify-js package prior to version 2.6.0 is vulnerable to regular expression denial of service (ReDoS) attacks when long inputs of certain patterns are processed.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade to version 2.6.0 or greater. If a direct dependency update is not possible, use snyk wizard to patch this vulnerability.

<2.6.0

Improper minification of non-boolean comparisons

uglify-js is a JavaScript parser, minifier, compressor and beautifier toolkit.

Tom MacWright discovered that UglifyJS versions 2.4.23 and earlier are affected by a vulnerability which allows a specially crafted Javascript file to have altered functionality after minification. This bug was demonstrated by Yan to allow potentially malicious code to be hidden within secure code, activated by minification.

Details

In Boolean algebra, DeMorgan's laws describe the relationships between conjunctions (&&), disjunctions (||) and negations (!). In Javascript form, they state that:

 !(a && b) === (!a) || (!b)
 !(a || b) === (!a) && (!b)

The law does not hold true when one of the values is not a boolean however.

Vulnerable versions of UglifyJS do not account for this restriction, and erroneously apply the laws to a statement if it can be reduced in length by it.

Consider this authentication function:

function isTokenValid(user) {
    var timeLeft =
        !!config && // config object exists
        !!user.token && // user object has a token
        !user.token.invalidated && // token is not explicitly invalidated
        !config.uninitialized && // config is initialized
        !config.ignoreTimestamps && // don't ignore timestamps
        getTimeLeft(user.token.expiry); // > 0 if expiration is in the future

    // The token must not be expired
    return timeLeft > 0;
}

function getTimeLeft(expiry) {
  return expiry - getSystemTime();
}

When minified with a vulnerable version of UglifyJS, it will produce the following insecure output, where a token will never expire:

( Formatted for readability )

function isTokenValid(user) {
    var timeLeft = !(                       // negation
        !config                             // config object does not exist
        || !user.token                      // user object does not have a token
        || user.token.invalidated           // token is explicitly invalidated
        || config.uninitialized             // config isn't initialized
        || config.ignoreTimestamps          // ignore timestamps
        || !getTimeLeft(user.token.expiry)  // > 0 if expiration is in the future
    );
    return timeLeft > 0
}

function getTimeLeft(expiry) {
    return expiry - getSystemTime()
}

How to fix Improper minification of non-boolean comparisons?

Upgrade UglifyJS to version 2.4.24 or higher.

>=2.2.0 <2.4.24

uglify-js@2.4.16 vulnerabilities

JavaScript parser, mangler/compressor and beautifier toolkit

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?

Details