Sonatype scan raises critical vulnerability: [CVE-2022-37598] Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.X.X via the name variable in ast.js.

[ciarancolgan]

**Uglify version **
At least all versions from our current (3.13.2) to latest

**Issue **
As of 25/10/22, running an auditjs ossi scan on our codebase throws this issue as a critical error:
Vulnerability Title: [CVE-2022-37598] Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js.
Reference: https://ossindex.sonatype.org/vulnerability/CVE-2022-37598?component-type=npm&component-name=uglify-js&utm_source=auditjs&utm_medium=integration&utm_content=4.0.38
According to Sonatype this affects all published versions of UglifyJS so upgrading wont help.

The same issue was reported here: #5699 but has been closed, marked as invalid?

Would you be able to look into this, or point me at the area and I can take a look at getting a PR raised? Thanks!

[alexlamsl]

Please refrain from restating automated tooling reports verbatim without further, proper analysis whether it is genuinely valid.

[CarlG12]

@alexlamsl , I highly suggest you to update the CVE record by filing this form: https://cveform.mitre.org/

Otherwise, all tools that monitor CVE issues will raise a critical issue on UglifyJS package.
This is a link on CVE description: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37598

[alexlamsl]

@CarlG12 I did not opt for or file any CVEs in the first place, so I failed to see how it is my responsibility to "Report Spam".

You have my full blessing to tell whoever's in charge to remove any records with regards to UglifyJS − and perhaps ask them to obtain a maintainer's opinion/concensus in the future before causing inconvenience to the user community.

[jimmyjames177414]

@alexlamsl I am in the same boat as @ciarancolgan and many many others. Cooperate vulnerability scanners will force us to remove UglifyJS and find other solutions and never look back. I believe this tool's user community will drop drastically if the CVE isn't resolved. If you disagree with the verdict that this is a true vulnerability, please reach out to NIST.gov and make your case.
https://nvd.nist.gov/vuln/detail/CVE-2022-37598

@ciarancolgan here seems to be the area:

UglifyJS/lib/ast.js

Line 46 in 352a944

function DEFNODE(type, props, methods, base) {

UglifyJS/lib/ast.js

Line 79 in 352a944

ctor.prototype[name] = methods[name];

[jeensingh]

Synopsys BlackDuck scan also reports this as a critical vulnerability.
As others have commented, @alexlamsl , you should make your case and get this vulnerability removed from the list. Closing the issue as Invalid in not a solution and not beneficial for anyone.

[robbytx]

@ciarancolgan @CarlG12 @jimmyjames177414 @jeensingh - the responsibility for clarifying this belongs to @Supraja9726 who was responsible for filing the issue #5699 that appears to have set this whole chain of events into motion.

I've added a comment to that issue clarifying that I agree with the assessment that this issue is invalid, and I've asked for @Supraja9726 to defend the claim that such a vulnerability exists.

[alexlamsl]

@robbytx thanks for your assessment and the attempt to rectify this situation 👍