Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js
- Severity:
- High
Description
Versions of uglify-js prior to 2.4.24 are affected by a vulnerability which may cause crafted JavaScript to have altered functionality after minification.
Recommendation
Update the uglify-js package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.4.24
- Patched version(s): 2.4.24
References
- GHSA-34r7-q49f-h37c
- zyan.scripts.mit.edu
- www.openwall.com
- web.archive.org
- CVE-2015-8857
- CWE-1254
- CWE-670
- CAPEC-310
- OWASP 2021-A6
Related Issues
- Regular Expression Denial of Service in uglify-js - CVE-2015-8858
- Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect - CVE-2024-30261
- Predictable results in nanoid generation when given non-integer values - CVE-2024-55565
- webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browse - CVE-2025-30360
- Tags:
- npm
- uglify-js
Anything's wrong? Let us know Last updated on April 12, 2023