Improper minification of non-boolean comparisons Affecting uglify-js package, versions >=2.2.0 <2.4.24
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDnpm:uglify-js:20150824
- published24 Aug 2015
- disclosed24 Aug 2015
- creditTom MacWright
Introduced: 24 Aug 2015
CVE-2015-8857 (opens in a new tab)How to fix?
Upgrade UglifyJS to version 2.4.24 or higher.
Overview
uglify-js is a JavaScript parser, minifier, compressor and beautifier toolkit.
Tom MacWright discovered that UglifyJS versions 2.4.23 and earlier are affected by a vulnerability which allows a specially crafted Javascript file to have altered functionality after minification. This bug was demonstrated by Yan to allow potentially malicious code to be hidden within secure code, activated by minification.
Details
In Boolean algebra, DeMorgan's laws describe the relationships between conjunctions (&&), disjunctions (||) and negations (!).
In Javascript form, they state that:
!(a && b) === (!a) || (!b)
!(a || b) === (!a) && (!b)
The law does not hold true when one of the values is not a boolean however.
Vulnerable versions of UglifyJS do not account for this restriction, and erroneously apply the laws to a statement if it can be reduced in length by it.
Consider this authentication function:
function isTokenValid(user) { var timeLeft = !!config && // config object exists !!user.token && // user object has a token !user.token.invalidated && // token is not explicitly invalidated !config.uninitialized && // config is initialized !config.ignoreTimestamps && // don't ignore timestamps getTimeLeft(user.token.expiry); // > 0 if expiration is in the future// The token must not be expired return timeLeft > 0;}
function getTimeLeft(expiry) { return expiry - getSystemTime(); }
When minified with a vulnerable version of UglifyJS, it will produce the following insecure output, where a token will never expire:
( Formatted for readability )
function isTokenValid(user) { var timeLeft = !( // negation !config // config object does not exist || !user.token // user object does not have a token || user.token.invalidated // token is explicitly invalidated || config.uninitialized // config isn't initialized || config.ignoreTimestamps // ignore timestamps || !getTimeLeft(user.token.expiry) // > 0 if expiration is in the future ); return timeLeft > 0 }
function getTimeLeft(expiry) { return expiry - getSystemTime() }