html-webpack-plugin icon indicating copy to clipboard operation
html-webpack-plugin copied to clipboard

Published 20 hours ago verified publisher icon jantimon

CVE-2022-25858 | Unknown

Open sandeepmahajan11 opened this issue 2 years ago • 1 comments

Current behavior 💣

CVE-2022-25858 | Unknown terser is vulnerable to regular expression denial of service. The vulnerability exists in index.js and evaluate.js because regular expressions used are not properly handled which allows an attacker to send crafted requests which causes an application crash

path of the issue: file9579178566_1660814181915_html/WebUI_18_08_2022.2/node_modules/terser

Expected behavior ☀️

The latest version(5.14.2) of "terser" should be used.

Reproduction Example 👾

  1. Install the library in any sample project.
  2. Scan the sample project binaries with "Veracode" or any other security tool.

Environment 🖥

This is a security issue and can be reproduced in any environment by scanning the library with any security tool.
MicrosoftTeams-image

sandeepmahajan11 avatar Aug 23 '22 05:08 sandeepmahajan11

Here's the pending pull request for this issue

https://github.com/jantimon/html-webpack-plugin/pull/1761

JesseDahl avatar Oct 10 '22 19:10 JesseDahl

We can't update it currently due https://github.com/terser/html-minifier-terser/blob/master/package.json#L44, we still support node.js v10, but we want to make a major release soon and drop old Node.js versions and update deps, the original problem was solved by terser, so just update your transitive deps, sorry for delay and feel free to feedback

alexander-akait avatar Jun 09 '23 18:06 alexander-akait