Skip to content

ReDoS via long UserAgent header in ua-parser

High severity GitHub Reviewed Published Jul 24, 2018 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm ua-parser (npm)

Affected versions

<= 0.3.5

Patched versions

None

Description

Affected versions of ua-parser are vulnerable to regular expression denial of service when given a specially crafted User-Agent header.

Recommendation

No patch is currently available for this vulnerability.

The best mitigation is currently to avoid using this package, using a different, functionally equivalent package such as useragent.

References

Published to the GitHub Advisory Database Jul 24, 2018
Reviewed Jun 16, 2020
Last updated Jan 9, 2023

Severity

High

EPSS score

0.907%
(83rd percentile)

Weaknesses

CVE ID

CVE-2017-16086

GHSA ID

GHSA-pmg9-p9r2-6q87

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.