GHSA-9H5V-PFQQ-X599

Vulnerability from github – Published: 2026-06-15 20:15 – Updated: 2026-06-15 20:15
VLAI
Summary
UAParser.js: Unbounded `Sec-CH-UA-Model` parsing can trigger ReDoS in `withClientHints()`
Details

Summary

A regular expression denial-of-service (ReDoS) vulnerability has been discovered in ua-parser-js when using the Client Hints API. By sending a crafted Sec-CH-UA-Model header to an application that calls UAParser(headers).withClientHints(), an attacker can cause the parser to spend excessive CPU time due to catastrophic backtracking in the device regex:

/ ([\w ]+) miui\/v?\d/i

Unlike when using the User-Agent value, which has a hard limit of UA_MAX_LENGTH = 500, when using Client Hints, values are copied without a length limit before being passed into regex parsing.

PoC

const { UAParser } = require('ua-parser-js');

const headers = {
  'sec-ch-ua-platform': '"Android"',
  'sec-ch-ua-mobile': '?1',
  'sec-ch-ua-model': '"' + 'A '.repeat(25000) + '"'
};

const t0 = process.hrtime.bigint();
UAParser(headers).withClientHints();
const ms = Number(process.hrtime.bigint() - t0) / 1e6;

if (ms > 100) {
  console.log('Potential ReDoS');
}

Impact

This vulnerability allows an unauthenticated attacker to trigger a denial-of-service condition in any server-side application that uses UAParser(headers).withClientHints(). A single request with a ~32,000-character model value can consume over 400ms of CPU time, with parsing time growing polynomially with input length. The impact is availability only, there is no confidentiality or integrity impact.

Affected Versions

ua-parser-js versions >=2.0.1, <=2.0.9 are affected. The withClientHints() API is not present in version 0.7.x or 1.x.

Patches

A patch has been released to fix the vulnerable regular expression and limit the Client Hints input. Users should update to version 2.0.10 or later.

References

Credits

Thanks to @sondt99, who first reported the issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "ua-parser-js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.1"
            },
            {
              "fixed": "2.0.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48125"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-15T20:15:02Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nA regular expression denial-of-service (ReDoS) vulnerability has been discovered in `ua-parser-js` when using the Client Hints API. By sending a crafted `Sec-CH-UA-Model` header to an application that calls `UAParser(headers).withClientHints()`, an attacker can cause the parser to spend excessive CPU time due to catastrophic backtracking in the device [regex](https://github.com/faisalman/ua-parser-js/blob/2.0.9/src/main/ua-parser.js#L615):\n\n```js\n/ ([\\w ]+) miui\\/v?\\d/i\n```\n\nUnlike when using the `User-Agent` value, which has a hard limit of `UA_MAX_LENGTH = 500`, when using Client Hints, values are copied without a length limit before being passed into regex parsing.\n\n### PoC\n\n```js\nconst { UAParser } = require(\u0027ua-parser-js\u0027);\n\nconst headers = {\n  \u0027sec-ch-ua-platform\u0027: \u0027\"Android\"\u0027,\n  \u0027sec-ch-ua-mobile\u0027: \u0027?1\u0027,\n  \u0027sec-ch-ua-model\u0027: \u0027\"\u0027 + \u0027A \u0027.repeat(25000) + \u0027\"\u0027\n};\n\nconst t0 = process.hrtime.bigint();\nUAParser(headers).withClientHints();\nconst ms = Number(process.hrtime.bigint() - t0) / 1e6;\n\nif (ms \u003e 100) {\n  console.log(\u0027Potential ReDoS\u0027);\n}\n```\n\n### Impact\n\nThis vulnerability allows an unauthenticated attacker to trigger a denial-of-service condition in any __server-side__ application that uses `UAParser(headers).withClientHints()`. A single request with a ~32,000-character model value can consume over 400ms of CPU time, with parsing time growing polynomially with input length. The impact is __availability__ only, there is no confidentiality or integrity impact.\n\n### Affected Versions\n\n`ua-parser-js` versions `\u003e=2.0.1, \u003c=2.0.9` are affected. The `withClientHints()` API is not present in version `0.7.x` or `1.x`.\n\n### Patches\n\nA patch has been released to fix the vulnerable regular expression and limit the Client Hints input. Users should update to version `2.0.10` or later.\n\n### References\n\n- [Regular expression Denial of Service - ReDoS (OWASP)](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n\n### Credits\n\nThanks to [@sondt99](https://github.com/sondt99), who first reported the issue.",
  "id": "GHSA-9h5v-pfqq-x599",
  "modified": "2026-06-15T20:15:02Z",
  "published": "2026-06-15T20:15:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/faisalman/ua-parser-js/security/advisories/GHSA-9h5v-pfqq-x599"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/faisalman/ua-parser-js"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "UAParser.js: Unbounded `Sec-CH-UA-Model` parsing can trigger ReDoS in `withClientHints()`"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…