CVE-2015-8857 Uglifyjs Project CVE debrief

Who should care

Node.js maintainers, frontend/backend teams that use uglify-js in build pipelines, release engineering teams, and security teams that rely on minified or transformed JavaScript preserving exact boolean logic.

Technical summary

According to NVD and the linked advisories, uglify-js before 2.4.24 improperly handled non-boolean values during boolean-expression rewriting. That can lead to unsafe or incorrect output JavaScript, especially where code transformation changes how security-related conditions evaluate. NVD maps the issue to CWE-254 and rates it CVSS 3.1 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Defensive priority

Critical. The CVSS score is 9.8 and the issue can affect security-sensitive logic without requiring privileges or user interaction. Treat as a high-priority dependency update if uglify-js is present in any active build path.

Recommended defensive actions

• Upgrade uglify-js to version 2.4.24 or later.
• Inventory build and release pipelines for direct or transitive uglify-js use.
• Rebuild and retest any artifacts produced with affected versions, especially where boolean logic influences access control or feature gating.
• Pin or lock dependency versions to prevent reintroduction of vulnerable releases.
• Review downstream bundles or generated JavaScript for unexpected logic changes after minification/transformation.
• Monitor the linked advisories and your dependency tooling for any affected package variants or forks.

Evidence notes

The NVD record states that uglify-js before 2.4.24 does not properly account for non-boolean values when rewriting boolean expressions, with possible security bypass impact. NVD assigns CVSS 3.1 9.8 and CWE-254. The source references include the Node Security advisory (nodesecurity.io/advisories/39), an oss-security mailing list post dated 2016-04-20, and a SecurityFocus VDB entry. The CVE was published on 2017-01-23.

Official resources