CVE-2015-8858 in uglify-js Package
Summary
by MITRE
The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a "regular expression denial of service (ReDoS)."
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/14/2026
The vulnerability identified as CVE-2015-8858 represents a critical regular expression denial of service flaw within the uglify-js package version 2.5.0 and earlier, specifically affecting Node.js environments. This vulnerability resides in the package's parsing functionality where maliciously crafted input can trigger excessive cpu consumption during regular expression evaluation. The issue stems from the package's use of inefficient regular expressions that are susceptible to catastrophic backtracking when processing specially designed inputs, leading to prolonged execution times that can effectively exhaust system resources and render applications unresponsive.
The technical implementation of this vulnerability involves the package's handling of JavaScript code parsing where regular expressions are employed to identify and process various syntax elements within the input. When attackers provide malicious input containing carefully constructed patterns, these regular expressions can enter into exponential backtracking behavior, causing the parser to consume disproportionate amounts of cpu cycles and memory resources. The vulnerability specifically manifests during the parse call operation where the package attempts to analyze and process the input code, creating a scenario where a relatively small input can trigger massive computational overhead.
This vulnerability impacts the operational integrity of Node.js applications that utilize uglify-js for code minification and optimization tasks. The denial of service condition can be exploited by attackers who submit malicious input to applications that process user-supplied code through the uglify-js package, potentially leading to complete service unavailability. The computational overhead can cause applications to become unresponsive or crash, affecting availability and potentially providing attackers with opportunities to perform further exploitation or maintain persistent access to compromised systems. The vulnerability affects any system that relies on the affected package version for JavaScript code processing and minification.
Mitigation strategies for this vulnerability include upgrading to uglify-js version 2.6.0 or later, which contains fixed regular expressions that prevent catastrophic backtracking scenarios. Organizations should also implement input validation and sanitization measures to filter potentially malicious input before processing it through code parsing libraries. Additionally, deployment of rate limiting and resource monitoring mechanisms can help detect and prevent exploitation attempts. The vulnerability aligns with CWE-400, which addresses unchecked resource consumption, and maps to ATT&CK technique T1499.004 for denial of service attacks, emphasizing the importance of proper input validation and resource management in preventing such exploitation scenarios.