Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js
- Severity:
- High
Description
Versions of uglify-js prior to 2.4.24 are affected by a vulnerability which may cause crafted JavaScript to have altered functionality after minification.
Recommendation
Update the uglify-js package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.4.24
- Patched version(s): 2.4.24
References
- GHSA-34r7-q49f-h37c
- zyan.scripts.mit.edu
- www.openwall.com
- web.archive.org
- CVE-2015-8857
- CWE-1254
- CWE-670
- CAPEC-310
- OWASP 2021-A6
Related Issues
- tiny-secp256k1 allows for verify() bypass when running in bundled environment - CVE-2024-49365
- Astro's server source code is exposed to the public if sourcemaps are enabled - CVE-2024-56159
- google-translate-api-browser Server-Side Request Forgery (SSRF) Vulnerability - CVE-2023-48711
- Vue I18n Allows Prototype Pollution in `handleFlatJson` (GHSA-p2ph-7g93-hw3m) - CVE-2025-27597
- Tags:
- npm
- uglify-js
Anything's wrong? Let us know Last updated on April 12, 2023