CVE-2015-8857

Critical

The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which…

mitre·CWE-254·Published 2017-01-23

CVSS

9.8

EPSS

0.04

KEV

Exploits

cve.orgen

279 chars

The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript.

NVDen

279 chars

OSV.deven

215 chars

Versions of `uglify-js` prior to 2.4.24 are affected by a vulnerability which may cause crafted JavaScript to have altered functionality after minification. ## Recommendation Upgrade UglifyJS to version >= 2.4.24.

GHSAen

215 chars

NVDes

340 chars

El paquete uglify-js en versiones anteriores a 2.4.24 para Node.js no tiene en cuenta adecuadamente los valores no booleanos al reescribir las expresiones booleanas, lo que podrían permitir a atacantes eludir los mecanismos de seguridad o posiblemente tener otro impacto no especificado aprovechando incorrectamente el Javascript reescrito.

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
2.0	Primary	NVD	7.5	10.0	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P
3.1	Primary	NVD	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
3.1	Secondary	GHSA	9.8	—	—	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H