Critical severity9.8NVD Advisory· Published Jan 23, 2017· Updated May 13, 2026
CVE-2015-8857
CVE-2015-8857
Description
The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
uglify-jsnpm | < 2.4.24 | 2.4.24 |
uglifierRubyGems | < 2.7.2 | 2.7.2 |
Affected products
1Patches
14677bfe38142Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- nodesecurity.io/advisories/39nvdExploitPatchVendor Advisory
- www.openwall.com/lists/oss-security/2016/04/20/11nvdMailing ListThird Party AdvisoryWEB
- www.securityfocus.com/bid/96410nvdThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-34r7-q49f-h37cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-8857ghsaADVISORY
- github.com/lautis/uglifier/commit/4677bfe38142937ff952f95605bcec4618892c3eghsaWEB
- github.com/mishoo/UglifyJS2/issues/751ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/uglifier/CVE-2015-8857.ymlghsaWEB
- web.archive.org/web/20200227190830/http://www.securityfocus.com/bid/96410ghsaWEB
- zyan.scripts.mit.edu/blog/backdooring-jsghsaWEB
News mentions
0No linked articles in our index yet.