See on npm

ua-parser-js 0.7.13

3 security vulnerabilities found in version 0.7.13

ReDoS Vulnerability in ua-parser-js version

high severity CVE-2022-25927
high severity CVE-2022-25927
Affected versions: < 0.7.33

Description:

A regular expression denial of service (ReDoS) vulnerability has been discovered in ua-parser-js.

Impact:

This vulnerability bypass the library's MAX_LENGTH input limit prevention. By crafting a very-very-long user-agent string with specific pattern, an attacker can turn the script to get stuck processing for a very long time which results in a denial of service (DoS) condition.

Affected Versions:

All versions of the library prior to version 0.7.33 / 1.0.33.

Patches:

A patch has been released to remove the vulnerable regular expression, update to version 0.7.33 / 1.0.33 or later.

References:

Regular expression Denial of Service - ReDoS

Credits:

Thanks to @Snyk who first reported the issue.

ua-parser-js Regular Expression Denial of Service vulnerability

high severity CVE-2020-7793
high severity CVE-2020-7793
Affected versions: < 0.7.23

The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).

Regular Expression Denial of Service in ua-parser-js

high severity CVE-2020-7733
high severity CVE-2020-7733
Affected versions: < 0.7.22

The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.

npm package version without a license.

Unless a license that specifies otherwise is included, nobody can use, copy, distribute, or modify this library without being at risk of take-downs, shake-downs, or litigation.

This package version is available.

This package version has not been yanked and is still available for usage.