Vulnerability Details : CVE-2022-25858
Potential exploit
The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
Vulnerability category: Denial of service
Products affected by CVE-2022-25858
- cpe:2.3:a:terser:terser:*:*:*:*:*:node.js:*:*
- cpe:2.3:a:terser:terser:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-25858
1.99%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 83 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-25858
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST | |
|
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
3.9
|
1.4
|
Snyk |
References for CVE-2022-25858
-
https://github.com/terser/terser/blob/master/lib/compress/evaluate.js%23L135
Page not found · GitHub · GitHubBroken Link
-
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2949722
Regular Expression Denial of Service (ReDoS) in org.webjars.npm:terser | CVE-2022-25858 | SnykExploit;Patch;Third Party Advisory
-
https://snyk.io/vuln/SNYK-JS-TERSER-2806366
Regular Expression Denial of Service (ReDoS) in terser | CVE-2022-25858 | SnykExploit;Patch;Third Party Advisory
-
https://github.com/terser/terser/commit/d8cc5691be980d663c29cc4d5ce67e852d597012
backport fix to potential regexp DDOS · terser/terser@d8cc569 · GitHubPatch;Third Party Advisory
-
https://github.com/terser/terser/commit/a4da7349fdc92c05094f41d33d06d8cd4e90e76b
fix potential regexp DDOS · terser/terser@a4da734 · GitHubPatch;Third Party Advisory
Jump to