ua-parser-js 0.7.21
ReDoS Vulnerability in ua-parser-js version
high severity CVE-2022-25927< 0.7.33
Description:
A regular expression denial of service (ReDoS) vulnerability has been discovered in ua-parser-js.
Impact:
This vulnerability bypass the library's MAX_LENGTH input limit prevention. By crafting a very-very-long user-agent string with specific pattern, an attacker can turn the script to get stuck processing for a very long time which results in a denial of service (DoS) condition.
Affected Versions:
All versions of the library prior to version 0.7.33 / 1.0.33.
Patches:
A patch has been released to remove the vulnerable regular expression, update to version 0.7.33 / 1.0.33 or later.
References:
Regular expression Denial of Service - ReDoS
Credits:
Thanks to @Snyk who first reported the issue.
Regular Expression Denial of Service (ReDoS) in ua-parser-js
high severity CVE-2021-27292>= 0.7.14, < 0.7.24
ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.
ua-parser-js Regular Expression Denial of Service vulnerability
high severity CVE-2020-7793< 0.7.23
The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).
Regular Expression Denial of Service in ua-parser-js
high severity CVE-2020-7733< 0.7.22
The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.
Author did not declare license for this package in the source code.
This package version has a MIT license in the source code, however it was not declared in the source code.
This package version is available.
This package version has not been yanked and is still available for usage.