GHSA-fhg7-m89q-25r3
ReDoS Vulnerability in ua-parser-js version
Details
### Description: A regular expression denial of service (ReDoS) vulnerability has been discovered in `ua-parser-js`.
### Impact: This vulnerability bypass the library's `MAX_LENGTH` input limit prevention. By crafting a very-very-long user-agent string with specific pattern, an attacker can turn the script to get stuck processing for a very long time which results in a denial of service (DoS) condition.
### Affected Versions: From version `0.7.30` to before versions `0.7.33` / `1.0.33`.
### Patches: A patch has been released to remove the vulnerable regular expression, update to version `0.7.33` / `1.0.33` or later.
### References: [Regular expression Denial of Service - ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)
### Credits: Thanks to @Snyk who first reported the issue.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/faisalman/ua-parser-js/security/advisories/GHSA-fhg7-m89q-25r3 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2022-25927 [ADVISORY]
- https://github.com/faisalman/ua-parser-js/commit/a6140a17dd0300a35cfc9cff999545f267889411 [WEB]
- https://github.com/faisalman/ua-parser-js [PACKAGE]
- https://security.snyk.io/vuln/SNYK-JS-UAPARSERJS-3244450 [WEB]