Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js
- Severity:
- High
Description
Versions of uglify-js prior to 2.4.24 are affected by a vulnerability which may cause crafted JavaScript to have altered functionality after minification.
Recommendation
Update the uglify-js package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.4.24
- Patched version(s): 2.4.24
References
- GHSA-34r7-q49f-h37c
- zyan.scripts.mit.edu
- www.openwall.com
- web.archive.org
- CVE-2015-8857
- CWE-1254
- CWE-670
- CAPEC-310
- OWASP 2021-A6
Related Issues
- Regular Expression Denial of Service in uglify-js - CVE-2015-8858
- Webrecorder packages are vulnerable to XSS through 404 error handling logic - CVE-2025-58765
- Webrecorder packages are vulnerable to XSS through 404 error handling logic (GHSA-w765-jm6w-4hhj) - CVE-2025-58765
- @astrojs/node's trailing slash handling causes open redirect issue - CVE-2025-55207
- Tags:
- npm
- uglify-js
Anything's wrong? Let us know Last updated on April 12, 2023