ghsa-fhg7-m89q-25r3
Vulnerability from github
Published
2023-01-24 15:36
Modified
2025-04-01 23:06
Severity ?
Summary
ReDoS Vulnerability in ua-parser-js version
Details
Description:
A regular expression denial of service (ReDoS) vulnerability has been discovered in ua-parser-js.
Impact:
This vulnerability bypass the library's MAX_LENGTH input limit prevention. By crafting a very-very-long user-agent string with specific pattern, an attacker can turn the script to get stuck processing for a very long time which results in a denial of service (DoS) condition.
Affected Versions:
All versions of the library prior to version 0.7.33 / 1.0.33.
Patches:
A patch has been released to remove the vulnerable regular expression, update to version 0.7.33 / 1.0.33 or later.
References:
Regular expression Denial of Service - ReDoS
Credits:
Thanks to @Snyk who first reported the issue.
{ affected: [ { package: { ecosystem: "npm", name: "ua-parser-js", }, ranges: [ { events: [ { introduced: "0", }, { fixed: "0.7.33", }, ], type: "ECOSYSTEM", }, ], }, { package: { ecosystem: "npm", name: "ua-parser-js", }, ranges: [ { events: [ { introduced: "0.8.0", }, { fixed: "1.0.33", }, ], type: "ECOSYSTEM", }, ], }, ], aliases: [ "CVE-2022-25927", ], database_specific: { cwe_ids: [ "CWE-1333", "CWE-400", ], github_reviewed: true, github_reviewed_at: "2023-01-24T15:36:32Z", nvd_published_at: "2023-01-26T21:15:00Z", severity: "HIGH", }, details: "### Description:\nA regular expression denial of service (ReDoS) vulnerability has been discovered in `ua-parser-js`.\n\n### Impact:\nThis vulnerability bypass the library's `MAX_LENGTH` input limit prevention. By crafting a very-very-long user-agent string with specific pattern, an attacker can turn the script to get stuck processing for a very long time which results in a denial of service (DoS) condition.\n\n### Affected Versions:\nAll versions of the library prior to version `0.7.33` / `1.0.33`.\n\n### Patches:\nA patch has been released to remove the vulnerable regular expression, update to version `0.7.33` / `1.0.33` or later.\n\n### References:\n[Regular expression Denial of Service - ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n\n### Credits:\nThanks to @Snyk who first reported the issue.", id: "GHSA-fhg7-m89q-25r3", modified: "2025-04-01T23:06:05Z", published: "2023-01-24T15:36:32Z", references: [ { type: "WEB", url: "https://github.com/faisalman/ua-parser-js/security/advisories/GHSA-fhg7-m89q-25r3", }, { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-25927", }, { type: "WEB", url: "https://github.com/faisalman/ua-parser-js/commit/a6140a17dd0300a35cfc9cff999545f267889411", }, { type: "PACKAGE", url: "https://github.com/faisalman/ua-parser-js", }, { type: "WEB", url: "https://security.snyk.io/vuln/SNYK-JS-UAPARSERJS-3244450", }, ], schema_version: "1.4.0", severity: [ { score: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", type: "CVSS_V3", }, ], summary: "ReDoS Vulnerability in ua-parser-js version", }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.