CVE-2015-8857 – A vulnerability in uglify-js versions before 2.... (How to Fix)

Q: What is the severity of CVE-2015-8857?

CVE-2015-8857 has a CVSS score of 9.8 (CRITICAL). A vulnerability in uglify-js versions before 2.4.24 allows attackers to bypass security mechanisms by exploiting improper boolean expression rewriting. This affects Node.js applications using vulnerable uglify-js for JavaScript minification, potentially leading to security control bypass or other impacts.

📋 TL;DR

A vulnerability in uglify-js versions before 2.4.24 allows attackers to bypass security mechanisms by exploiting improper boolean expression rewriting. This affects Node.js applications using vulnerable uglify-js for JavaScript minification, potentially leading to security control bypass or other impacts.

💻 Affected Systems

Products:

uglify-js

Versions: All versions before 2.4.24

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using uglify-js for JavaScript minification/compression.

📦 What is this software?

Uglifyjs by Uglifyjs Project

View all CVEs affecting Uglifyjs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could bypass authentication, authorization, or other security controls in minified JavaScript code, potentially leading to complete system compromise.

🟠

Likely Case

Security bypass in applications relying on uglify-js for code minification, allowing circumvention of client-side security checks.

🟢

If Mitigated

Minimal impact if proper server-side validation and security controls are implemented independently of client-side code.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires ability to influence JavaScript code that gets processed by vulnerable uglify-js.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.24 and later

Vendor Advisory: https://nodesecurity.io/advisories/39

Restart Required: No

Instructions:

1. Update uglify-js to version 2.4.24 or later using npm update uglify-js. 2. Rebuild and redeploy any applications using uglify-js. 3. Test minified JavaScript output for correctness.

🔧 Temporary Workarounds

Use alternative minifier

all

Temporarily switch to a different JavaScript minification tool

npm uninstall uglify-js
npm install terser

🧯 If You Can't Patch

Implement additional server-side validation for all security-critical operations
Disable JavaScript minification in development/production environments

🔍 How to Verify

Check if Vulnerable:

Check package.json or run: npm list uglify-js

Check Version:

npm list uglify-js

Verify Fix Applied:

Verify installed version is 2.4.24 or higher: npm list uglify-js | grep uglify-js

📡 Detection & Monitoring

Log Indicators:

Unexpected security bypass events
Authentication failures from validated users

Network Indicators:

Unusual client-side JavaScript behavior patterns

SIEM Query:

source="application" AND (event_type="auth_failure" OR event_type="security_bypass")

📊 Metadata

CVE ID: CVE-2015-8857

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-254

Published: January 23, 2017

Last Updated: April 20, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2016/04/20/11 Mailing List,Third Party Advisory
http://www.securityfocus.com/bid/96410 Third Party Advisory,VDB Entry
https://nodesecurity.io/advisories/39 Exploit,Patch,Vendor Advisory
http://www.openwall.com/lists/oss-security/2016/04/20/11 Mailing List,Third Party Advisory
http://www.securityfocus.com/bid/96410 Third Party Advisory,VDB Entry
https://nodesecurity.io/advisories/39 Exploit,Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-8857, you might also want to check these: