Skip to content

ReDoS via long UserAgent header in ua-parser

High severity GitHub Reviewed Published Jul 24, 2018 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm ua-parser (npm)

Affected versions

<= 0.3.5

Patched versions

None

Description

Affected versions of ua-parser are vulnerable to regular expression denial of service when given a specially crafted User-Agent header.

Recommendation

No patch is currently available for this vulnerability.

The best mitigation is currently to avoid using this package, using a different, functionally equivalent package such as useragent.

References

Published to the GitHub Advisory Database Jul 24, 2018
Reviewed Jun 16, 2020
Last updated Jan 9, 2023

Severity

High

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(98th percentile)

Weaknesses

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. Learn more on MITRE.

CVE ID

CVE-2017-16086

GHSA ID

GHSA-pmg9-p9r2-6q87

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.