Vulnerability Description
The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
CVSS Score
5.3
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Terser | Terser | < 4.8.1 |
Related Weaknesses (CWE)
References
- https://github.com/terser/terser/blob/master/lib/compress/evaluate.js%23L135Broken Link
- https://github.com/terser/terser/commit/a4da7349fdc92c05094f41d33d06d8cd4e90e76bPatchThird Party Advisory
- https://github.com/terser/terser/commit/d8cc5691be980d663c29cc4d5ce67e852d597012PatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2949722ExploitPatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-TERSER-2806366ExploitPatchThird Party Advisory
- https://github.com/terser/terser/blob/master/lib/compress/evaluate.js%23L135Broken Link
- https://github.com/terser/terser/commit/a4da7349fdc92c05094f41d33d06d8cd4e90e76bPatchThird Party Advisory
- https://github.com/terser/terser/commit/d8cc5691be980d663c29cc4d5ce67e852d597012PatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2949722ExploitPatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-TERSER-2806366ExploitPatchThird Party Advisory
FAQ
What is CVE-2022-25858?
CVE-2022-25858 is a vulnerability with a CVSS score of 5.3 (MEDIUM). The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
How severe is CVE-2022-25858?
CVE-2022-25858 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-25858?
Check the references section above for vendor advisories and patch information. Affected products include: Terser Terser.