Fluid Attacks Database

Description

Terser insecure use of regular expressions leads to ReDoS The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	node-terser	>=0 <4.8.1-1	4.8.1-1
npm	terser	>=0 <4.8.1 \|\| >=5.0.0 <5.14.2	4.8.1, 5.14.2
debian 14	node-terser	>=0 <4.8.1-1	4.8.1-1
debian 11	node-terser	=4.1.2-10 \|\| =4.1.2-10~bpo11+1 \|\| =4.1.2-8 \|\| =4.1.2-9 \|\| =4.8.0-1 \|\| =4.8.0-2 \|\| =4.8.0-3 \|\| =4.8.0-4 \|\| =4.8.0-5 \|\| =4.8.1-1 \|\| =5.14.1-1 \|\| =5.14.1-2 \|\| =5.14.1-3 \|\| =5.14.1-4 \|\| =5.14.2-1 \|\| =5.14.2-2 \|\| =5.15.0-1 \|\| =5.15.1-1 \|\| =5.16.1-1 \|\| =5.16.2-1 \|\| =5.16.3-1 \|\| =5.16.4-1 \|\| =5.16.5-1 \|\| =5.16.5-2 \|\| =5.18.0-1 \|\| =5.19.2-1 \|\| =5.31.3-1 \|\| =5.38.0-1 \|\| =5.46.1-1 \|\| =5.46.1-2 \|\| =5.46.1-3 \|\| =5.46.1-4	-
debian 12	node-terser	>=0 <4.8.1-1	4.8.1-1
rpm rhel8	grafana	-	-
rpm rhel9	grafana	-	-
rpm rhel8	pcs	-	-

Aliases

1. CVE-2022-258582. NVD-2022-258583. OSV-DEBIAN-2022-258584. OSV-2022-258585. GCVE-2022-258586. SECURITY-TRACKER-CVE-2022-25858

References

1. https://github.com/terser/terser/commit/a4da7349fdc92c05094f41d33d06d8cd4e90e76b2. https://github.com/terser/terser/commit/d8cc5691be980d663c29cc4d5ce67e852d5970123. https://github.com/terser/terser/blob/master/lib/compress/evaluate.js%23L135