Severity: high

ReDoS via long UserAgent header



Affected versions of ua-parser are vulnerable to regular expression denial of service when given a specially crafted User-Agent header.


No patch is currently available for this vulnerability.

The best mitigation is currently to avoid using this package, using a different, functionally equivalent package such as useragent.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Aug 29th, 2017
  2. reported

    Initial report by Adam Baldwin
    Mar 6th, 2017