CVE-2022-25858 - OpenCVE

The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Terser	Terser

Configuration 1 [-]

OR	cpe:2.3:a:terser:terser::::::node.js::*
	cpe:2.3:a:terser:terser::::::node.js::*

References

Link	Resource
https://github.com/terser/terser/blob/master/lib/compress/evaluate.js%23L135	Broken Link
https://github.com/terser/terser/commit/a4da7349fdc92c05094f41d33d06d8cd4e90e76b	Patch Third Party Advisory
https://github.com/terser/terser/commit/d8cc5691be980d663c29cc4d5ce67e852d597012	Patch Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2949722	Exploit Patch Third Party Advisory
https://snyk.io/vuln/SNYK-JS-TERSER-2806366	Exploit Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: snyk

Published: 2022-07-15T00:00:00

Updated: 2022-07-15T20:00:19

Reserved: 2022-02-24T00:00:00

Link: CVE-2022-25858

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-07-15T20:15:08.427

Modified: 2023-08-08T14:22:24.967

Link: CVE-2022-25858

JSON object: View

Redhat Information

No data.

CWE

CWE-1333

{"containers": {"cna": {"affected": [{"product": "terser", "vendor": "n/a", "versions": [{"lessThan": "4.8.1", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "5.0.0", "versionType": "custom"}, {"lessThan": "5.14.2", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "F\u00e1bio Santos"}], "datePublic": "2022-07-15T00:00:00", "descriptions": [{"lang": "en", "value": "The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Regular Expression Denial of Service (ReDoS)", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-07-15T20:00:19", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JS-TERSER-2806366"}, {"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2949722"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/terser/terser/blob/master/lib/compress/evaluate.js%23L135"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/terser/terser/commit/a4da7349fdc92c05094f41d33d06d8cd4e90e76b"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/terser/terser/commit/d8cc5691be980d663c29cc4d5ce67e852d597012"}], "title": "Regular Expression Denial of Service (ReDoS)", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2022-07-15T20:00:10.074191Z", "ID": "CVE-2022-25858", "STATE": "PUBLIC", "TITLE": "Regular Expression Denial of Service (ReDoS)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "terser", "version": {"version_data": [{"version_affected": "<", "version_value": "4.8.1"}, {"version_affected": ">=", "version_value": "5.0.0"}, {"version_affected": "<", "version_value": "5.14.2"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "F\u00e1bio Santos"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Regular Expression Denial of Service (ReDoS)"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-JS-TERSER-2806366", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JS-TERSER-2806366"}, {"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2949722", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2949722"}, {"name": "https://github.com/terser/terser/blob/master/lib/compress/evaluate.js%23L135", "refsource": "MISC", "url": "https://github.com/terser/terser/blob/master/lib/compress/evaluate.js%23L135"}, {"name": "https://github.com/terser/terser/commit/a4da7349fdc92c05094f41d33d06d8cd4e90e76b", "refsource": "MISC", "url": "https://github.com/terser/terser/commit/a4da7349fdc92c05094f41d33d06d8cd4e90e76b"}, {"name": "https://github.com/terser/terser/commit/d8cc5691be980d663c29cc4d5ce67e852d597012", "refsource": "MISC", "url": "https://github.com/terser/terser/commit/d8cc5691be980d663c29cc4d5ce67e852d597012"}]}}}}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2022-25858", "datePublished": "2022-07-15T00:00:00", "dateReserved": "2022-02-24T00:00:00", "dateUpdated": "2022-07-15T20:00:19", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:terser:terser:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "0A470914-3805-4013-9E7D-6AB1241062A9", "versionEndExcluding": "4.8.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:terser:terser:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "34C8303E-663F-4756-BF89-AA071EFDF7C2", "versionEndExcluding": "5.14.2", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions."}, {"lang": "es", "value": "El paquete terser versiones anteriores a 4.8.1, a partir de la versi\u00f3n 5.0.0 anteriores a 5.14.2, son vulnerables a una Denegaci\u00f3n de Servicio por Expresi\u00f3n Regular (ReDoS) debido al uso no seguro de expresiones regulares"}], "id": "CVE-2022-25858", "lastModified": "2023-08-08T14:22:24.967", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2022-07-15T20:15:08.427", "references": [{"source": "report@snyk.io", "tags": ["Broken Link"], "url": "https://github.com/terser/terser/blob/master/lib/compress/evaluate.js%23L135"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/terser/terser/commit/a4da7349fdc92c05094f41d33d06d8cd4e90e76b"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/terser/terser/commit/d8cc5691be980d663c29cc4d5ce67e852d597012"}, {"source": "report@snyk.io", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2949722"}, {"source": "report@snyk.io", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-TERSER-2806366"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1333"}], "source": "nvd@nist.gov", "type": "Primary"}]}