Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 24 Aug 2015 12:44:13 -0700
From: Reed Loden <>
	Assign a CVE Identifier <>
Subject: Re: CVE request: uglify-js node.js module <2.4.24 incorrectly handles
 non-boolean comparisons during minification

This also affects the uglifier ruby gem as well, which is a "Ruby wrapper
for UglifyJS JavaScript compressor."

No fixed version released yet, but I submitted a PR to fix in


On Mon, Aug 24, 2015 at 11:26 AM, Reed Loden <> wrote:

> As seen on Hacker News --
> Blog post has all the details, but basically the UglifyJS node module has
> a problem where the combination of De Morgan’s Law and non-boolean values
> can lead to a case where code is incorrectly minified, which can lead to
> possibly malicious minified JS code.
> UglifyJS is a "JavaScript parser / mangler / compressor / beautifier
> toolkit" for Node.js.
> Node.js module: uglify-js (
> Affects: 2.4.23 and earlier
> Fixed in: 2.4.24
> Reported via
> Fixed by
> Can a CVE be assigned?
> Thanks,
> ~reed

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ