CVE-2022-25858

Exploit

EPSS 3.56%
Veröffentlicht 15.07.2022 20:15:08
Zuletzt bearbeitet 21.11.2024 06:53:07
Quelle report@snyk.io
CVE-Watchlists
Login
Unerledigt
Login

Terser < 4.8.1 and 5.0.0-5.14.1 - Regular Expression Denial of Service

terser (JS Package) < 5.14.2 - Denial of Service

The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.

Mögliche Gegenmaßnahme

Autopost for X (formerly Autoshare for Twitter): Update to version 1.2.0, or a newer patched version

Block for Apple Maps: Update to version 1.1.0, or a newer patched version

Publisher Media Kit: Update to version 1.3.0, or a newer patched version

Retro Winamp Block: Update to version 1.2.0, or a newer patched version

ElasticPress: Update to version 4.3.0, or a newer patched version

Retro Winamp Block: Update to version 1.2.0, or a newer patched version

Simple Local Avatars: Update to version 2.6.0, or a newer patched version

Simple Podcasting: Update to version 1.2.4, or a newer patched version

Sophi: Update to version 1.2.1, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 10

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Autopost for X (formerly Autoshare for Twitter)

Version *-1.1.2

SystemWordPress Plugin

≫

Produkt Block for Apple Maps

Version *-1.0.3

SystemWordPress Plugin

≫

Produkt Publisher Media Kit

Version *-1.2.1

SystemWordPress Plugin

≫

Produkt Retro Winamp Block

Version *-1.1.0

SystemWordPress Plugin

≫

Produkt ElasticPress

Version *-4.2.2

SystemWordPress Plugin

≫

Produkt Retro Winamp Block

Version *-1.1.0

SystemWordPress Plugin

≫

Produkt Simple Local Avatars

Version *-2.5.0

SystemWordPress Plugin

≫

Produkt Simple Podcasting

Version [*, 1.2.4)

SystemWordPress Plugin

≫

Produkt Sophi

Version *-1.2.0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Terser ≫ Terser SwPlatformnode.js Version < 4.8.1

Terser ≫ Terser SwPlatformnode.js Version >= 5.0.0 < 5.14.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	3.56%	0.875

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
report@snyk.io	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

https://github.com/terser/terser/blob/master/lib/compress/evaluate.js%23L135

Broken Link

https://github.com/terser/terser/commit/a4da7349fdc92c05094f41d33d06d8cd4e90e76b

Patch

Third Party Advisory

https://github.com/terser/terser/commit/d8cc5691be980d663c29cc4d5ce67e852d597012

Patch

Third Party Advisory

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2949722

Patch

Third Party Advisory

Exploit