PatchSiren cyber security CVE debrief

CVE-2015-8858 Uglifyjs Project CVE debrief

CVE-2015-8858 describes a regular expression denial of service (ReDoS) issue in the uglify-js package for Node.js. Crafted input passed to parse() can consume excessive CPU and deny service. The CVE record was published on 2017-01-23, and the underlying advisories referenced by NVD date back to 2016.

Vendor: Uglifyjs Project
Product: CVE-2015-8858
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-23
Original CVE updated: 2026-05-13
Advisory published: 2017-01-23
Advisory updated: 2026-05-13

Who should care

Teams running Node.js applications that depend on uglify-js, especially build pipelines, bundling/minification services, or any service that accepts untrusted or user-influenced JavaScript input for parsing.

Technical summary

The vulnerability is a denial-of-service condition caused by crafted input that triggers inefficient regular-expression behavior during parse() processing. NVD classifies the weakness as CWE-399 and rates the issue CVSS 3.0 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), reflecting remotely triggerable availability impact with no confidentiality or integrity impact. The CVE description says affected versions are before 2.6.0; NVD's CPE criteria in the supplied record mark vulnerability through 2.5.0.

Defensive priority

High for any environment that processes untrusted input with affected uglify-js versions, because the impact is service availability and the attack complexity is low.

Recommended defensive actions

Upgrade uglify-js to a fixed release at or above 2.6.0.
Inventory applications, build systems, and CI jobs that depend on uglify-js and verify the resolved package version.
If immediate upgrade is not possible, restrict exposure by ensuring untrusted input is not passed into parse() and by isolating parsing workloads.
Monitor for abnormal CPU usage or request latency associated with JavaScript parsing/minification tasks.
Re-run dependency audits after remediation to confirm no transitive copies of vulnerable uglify-js remain.

Evidence notes

Primary evidence comes from the NVD record and linked advisories. The CVE description states that uglify-js before 2.6.0 can be abused with crafted input in a parse call to cause denial of service via ReDoS. NVD lists CWE-399 and a CVSS 3.0 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The supplied NVD CPE criteria mark affected versions through 2.5.0, which is consistent with the CVE description's 'before 2.6.0' wording. References in the record include an OSS Security mailing list post, a SecurityFocus entry, and a Node Security advisory.

Official resources

CVE-2015-8858 CVE record
CVE.org
CVE-2015-8858 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory

The vulnerability was referenced in 2016 advisories and entered the CVE record on 2017-01-23. The NVD record was later modified on 2026-05-13, but that date is not the vulnerability disclosure date.