CVE-2022-25858 Overview
CVE-2022-25858 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting Terser, a popular JavaScript minifier and compressor widely used in modern web development toolchains. The vulnerability exists due to insecure usage of regular expressions within the package, which can be exploited to cause catastrophic backtracking and resource exhaustion when processing maliciously crafted input.
Critical Impact
This vulnerability enables attackers to cause denial of service conditions in build systems, CI/CD pipelines, and any application utilizing vulnerable Terser versions for JavaScript minification, potentially disrupting development workflows and production deployments.
Affected Products
- Terser versions before 4.8.1 (Node.js package)
- Terser versions from 5.0.0 and before 5.14.2 (Node.js package)
- WebJars npm package containing vulnerable Terser versions (Java ecosystem)
Discovery Timeline
- July 15, 2022 - CVE-2022-25858 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2022-25858
Vulnerability Analysis
The vulnerability resides in Terser's regular expression handling within the compression and evaluation modules. Terser processes regular expressions from JavaScript source code during minification, and certain patterns can trigger exponential time complexity due to catastrophic backtracking in the regex engine.
When Terser encounters specially crafted regular expression patterns in the source code being minified, the regex evaluation can enter a state where the backtracking algorithm explores an exponentially growing number of possible matches. This algorithmic complexity attack consumes excessive CPU resources, effectively freezing the minification process and potentially impacting the entire build system or server.
The vulnerability is classified under CWE-1333 (Inefficient Regular Expression Complexity), which describes scenarios where regex patterns can be exploited to cause denial of service through computational resource exhaustion.
Root Cause
The root cause lies in the lib/compress/evaluate.js and related compression modules where regular expressions from user-supplied JavaScript code are processed without adequate safeguards against ReDoS-prone patterns. The original implementation lacked validation to determine whether a regex pattern could safely be evaluated without risking denial of service.
Attack Vector
An attacker can exploit this vulnerability by supplying JavaScript source code containing malicious regular expression patterns to any application or build process that uses vulnerable Terser versions. Attack scenarios include:
- Supply chain attacks: Injecting malicious code into npm packages that get processed by Terser during bundling
- Direct targeting: Submitting crafted JavaScript to web applications that perform server-side minification
- CI/CD disruption: Including ReDoS-triggering patterns in repositories that use Terser in their build pipelines
// Security patch introducing regexp_is_safe validation
// Source: https://github.com/terser/terser/commit/d8cc5691be980d663c29cc4d5ce67e852d597012
// Subset of regexps that is not going to cause regexp based DDOS
// https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
const re_safe_regexp = /^[\\/|\0\s\w^$.[[\]()]*$/;
/** Check if the regexp is safe for Terser to create without risking a RegExp DOS */
export const regexp_is_safe = (source) => re_safe_regexp.test(source);
Detection Methods for CVE-2022-25858
Indicators of Compromise
- Abnormally high CPU utilization during JavaScript build or minification processes
- Build pipeline timeouts or hangs specifically during Terser minification steps
- Node.js processes consuming excessive memory or CPU when processing JavaScript files
- Unusual patterns in source code submissions containing complex nested regex patterns
Detection Strategies
- Implement software composition analysis (SCA) to identify vulnerable Terser versions in package.json and package-lock.json files
- Monitor build system resource utilization for anomalies during minification tasks
- Use dependency scanning tools to flag Terser versions below 4.8.1 or between 5.0.0 and 5.14.2
- Deploy runtime monitoring for Node.js processes executing Terser to detect prolonged CPU spikes
Monitoring Recommendations
- Configure alerts for build job durations exceeding normal thresholds
- Implement CPU usage monitoring on build servers and CI/CD runners
- Enable dependency vulnerability scanning in your package management workflow
- Monitor npm audit outputs for known vulnerabilities in project dependencies
How to Mitigate CVE-2022-25858
Immediate Actions Required
- Update Terser to version 4.8.1 or later for the 4.x branch
- Update Terser to version 5.14.2 or later for the 5.x branch
- Audit all projects using Terser and verify the installed version
- Review transitive dependencies that may include vulnerable Terser versions
Patch Information
The Terser maintainers addressed this vulnerability by introducing a regexp_is_safe function that validates regular expression patterns before processing. The fix ensures only a safe subset of regex patterns are evaluated, preventing ReDoS-prone expressions from being processed.
Security patches are available in the following commits:
For additional vulnerability details, see the Snyk JavaScript Vulnerability Report and Snyk Java Vulnerability Report.
Workarounds
- Implement build timeouts to prevent indefinite resource consumption if immediate patching is not possible
- Restrict input sources to trusted JavaScript code until the upgrade is applied
- Consider pre-validating JavaScript source files for complex regex patterns before minification
- Use resource limits (CPU, memory) on build processes as a defensive measure
# Update Terser to patched versions
npm update terser@latest
# Or specify minimum safe versions in package.json
npm install terser@">=4.8.1 <5.0.0 || >=5.14.2"
# Audit for vulnerabilities
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
