Skip to content

ReDoS via long UserAgent header in ua-parser

High severity GitHub Reviewed Published Jul 24, 2018 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm ua-parser (npm)

Affected versions

<= 0.3.5

Patched versions

None

Description

Affected versions of ua-parser are vulnerable to regular expression denial of service when given a specially crafted User-Agent header.

Recommendation

No patch is currently available for this vulnerability.

The best mitigation is currently to avoid using this package, using a different, functionally equivalent package such as useragent.

References

Published to the GitHub Advisory Database Jul 24, 2018
Reviewed Jun 16, 2020
Last updated Jan 9, 2023

Severity

High

Weaknesses

CVE ID

CVE-2017-16086

GHSA ID

GHSA-pmg9-p9r2-6q87

Source code

No known source code
Checking history
See something to contribute? Suggest improvements for this vulnerability.