GoogleOSV:GHSA-4WF5-VPHF-C2XCTerser insecure use of regular expressions leads to ReDoS
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.002 Low
EPSS
Percentile
58.5%
The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
References
github.com/terser/terser
github.com/terser/terser/blob/master/lib/compress/evaluate.js%23L135
github.com/terser/terser/commit/a4da7349fdc92c05094f41d33d06d8cd4e90e76b
github.com/terser/terser/commit/d8cc5691be980d663c29cc4d5ce67e852d597012
nvd.nist.gov/vuln/detail/CVE-2022-25858
snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2949722
snyk.io/vuln/SNYK-JS-TERSER-2806366
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.002 Low
EPSS
Percentile
58.5%