oss-sec mailing list archives
CVE request: uglify-js node.js module <2.4.24 incorrectly handles non-boolean comparisons during minification
From: Reed Loden <reed () reedloden com>
Date: Mon, 24 Aug 2015 11:26:15 -0700
As seen on Hacker News -- https://zyan.scripts.mit.edu/blog/backdooring-js/ Blog post has all the details, but basically the UglifyJS node module has a problem where the combination of De Morgan’s Law and non-boolean values can lead to a case where code is incorrectly minified, which can lead to possibly malicious minified JS code. UglifyJS is a "JavaScript parser / mangler / compressor / beautifier toolkit" for Node.js. Node.js module: uglify-js (https://www.npmjs.com/package/uglify-js) Affects: 2.4.23 and earlier Fixed in: 2.4.24 Reported via https://github.com/mishoo/UglifyJS2/issues/751 Fixed by https://github.com/mishoo/UglifyJS2/commit/905b6011784ca60d41919ac1a499962b7c1d4b02 Can a CVE be assigned? Thanks, ~reed
Current thread:
- CVE request: uglify-js node.js module <2.4.24 incorrectly handles non-boolean comparisons during minification Reed Loden (Aug 24)