Skip to content

Transitive dependency uglify.js is vulnerable is Regular Expression Injection #79

New issue
New issue
Open
Open
Transitive dependency uglify.js is vulnerable is Regular Expression Injection#79
@fermaem

Description

@fermaem
fermaem
opened on Nov 26, 2015

Halacious 3.4.0 (latest available version)
depends on swig in version 1.4.2 (latest available version, but no longer maintained)
which depends on uglify-js in version ~2.4.0

Versions of uglify < 2.6.0 are vulnerable to Regular Expression Denial of Service.

Below the result of nsp check

> nsp check
(+) 1 vulnerabilities found
┌───────────────┬───────────────────────────────────────────────────────┐
│               │ Regular Expression Denial of Service                  │
├───────────────┼───────────────────────────────────────────────────────┤
│ Name          │ uglify-js                                             │
├───────────────┼───────────────────────────────────────────────────────┤
│ Installed     │ 2.4.24                                                │
├───────────────┼───────────────────────────────────────────────────────┤
│ Vulnerable    │ <2.6.0                                                │
├───────────────┼───────────────────────────────────────────────────────┤
│ Patched       │ >=2.6.0                                               │
├───────────────┼───────────────────────────────────────────────────────┤
│ Path          │ swig > uglify-js                                      │
├───────────────┼───────────────────────────────────────────────────────┤
│ More Info     │ https://nodesecurity.io/advisories/48                 │
└───────────────┴───────────────────────────────────────────────────────┘

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions