CVE-2015-8857 in uglify-js Package
Summary
by MITRE
The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/14/2026
The vulnerability identified as CVE-2015-8857 affects the uglify-js package version 2.4.24 and earlier in Node.js environments, representing a significant security flaw in JavaScript code obfuscation and minification processes. This issue stems from improper handling of boolean expression rewriting within the package's code transformation logic, creating potential attack vectors that could compromise application security. The vulnerability specifically targets the package's ability to correctly process non-boolean values during the optimization phase of JavaScript code, where the tool attempts to simplify and reduce the size of JavaScript files while maintaining functionality.
The technical flaw manifests when uglify-js processes boolean expressions containing non-boolean values such as strings, numbers, or objects that should be evaluated in a boolean context. The package fails to properly account for these values during the rewriting process, potentially transforming valid boolean logic into equivalent but differently structured expressions that may behave differently in certain contexts. This misbehavior occurs because the tool does not maintain the semantic equivalence of boolean expressions when performing optimizations, particularly when dealing with truthy and falsy values that are common in JavaScript programming. The improper rewriting can lead to conditional statements being altered in ways that might bypass intended security checks or access controls within applications that rely on this code obfuscation tool.
The operational impact of this vulnerability extends beyond simple code optimization issues, potentially enabling attackers to exploit security mechanisms that depend on proper boolean evaluation. When applications use uglify-js for production code minification, malicious actors could potentially manipulate the obfuscated code to bypass authentication checks, access control mechanisms, or other security validations that rely on boolean logic. The vulnerability's implications are particularly concerning in web applications where code obfuscation is commonly employed to protect intellectual property while also serving as a security layer. The unspecified nature of other potential impacts suggests that the flaw could enable various forms of code manipulation or execution bypass that might not be immediately apparent, making it a particularly dangerous vulnerability in security-sensitive applications.
Security mitigations for CVE-2015-8857 require immediate upgrading of the uglify-js package to version 2.4.24 or later, which contains the necessary fixes for proper boolean expression handling. Organizations should conduct comprehensive code audits to identify any applications that might be affected by this vulnerability, particularly those that rely heavily on code minification and obfuscation for security purposes. The fix addresses the underlying issue by ensuring that boolean expressions are rewritten while preserving their semantic meaning, preventing the bypass of security controls that might depend on proper boolean evaluation. This vulnerability aligns with CWE-691, which covers inadequate protection of code transformations, and represents a concern for ATT&CK technique T1070.004 related to indicator removal through obfuscation. System administrators and developers should also consider implementing additional code review processes for minified code, as well as monitoring for unexpected behavior in applications that utilize this package, particularly in security-critical components where boolean logic determines access control decisions.