Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Advisories: GSA_kwCzR0hTQS1maGc3LW04OXEtMjVyM84AAxIw
ReDoS Vulnerability in ua-parser-js version
Description:
A regular expression denial of service (ReDoS) vulnerability has been discovered in ua-parser-js.
Impact:
This vulnerability bypass the library's MAX_LENGTH input limit prevention. By crafting a very-very-long user-agent string with specific pattern, an attacker can turn the script to get stuck processing for a very long time which results in a denial of service (DoS) condition.
Affected Versions:
All versions of the library prior to version 0.7.33 / 1.0.33.
Patches:
A patch has been released to remove the vulnerable regular expression, update to version 0.7.33 / 1.0.33 or later.
References:
Regular expression Denial of Service - ReDoS
Credits:
Thanks to @Snyk who first reported the issue.
Permalink: https://github.com/advisories/GHSA-fhg7-m89q-25r3Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 5 days ago
Updated: 2 days ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-fhg7-m89q-25r3, CVE-2022-25927
References:
- https://github.com/faisalman/ua-parser-js/security/advisories/GHSA-fhg7-m89q-25r3
- https://github.com/faisalman/ua-parser-js/commit/a6140a17dd0300a35cfc9cff999545f267889411
- https://nvd.nist.gov/vuln/detail/CVE-2022-25927
- https://security.snyk.io/vuln/SNYK-JS-UAPARSERJS-3244450
- https://github.com/advisories/GHSA-fhg7-m89q-25r3
Affected Packages
npm:ua-parser-js
Versions: >= 0.8.0, < 1.0.33, < 0.7.33Fixed in: 1.0.33, 0.7.33