CVE-2022-25858 – terser

Package

Manager: npm
Name: terser
Vulnerable Version: >=0 <4.8.1 || >=5.0.0 <5.14.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.03306 pctl0.86745

Details

Terser insecure use of regular expressions leads to ReDoS The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.

Metadata

Created: 2022-07-16T00:00:20Z
Modified: 2023-03-13T22:43:44Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-4wf5-vphf-c2xc/GHSA-4wf5-vphf-c2xc.json
CWE IDs: ["CWE-1333"]
Alternative ID: GHSA-4wf5-vphf-c2xc
Finding: F211
Auto approve: 1