CVE-2026-48125: UAParser.js: Unbounded `Sec-CH-UA-Model` parsing can trigger ReDoS in `withClientHints()`

June 15, 2026

A regular expression denial-of-service (ReDoS) vulnerability has been discovered in ua-parser-js when using the Client Hints API. By sending a crafted Sec-CH-UA-Model header to an application that calls UAParser(headers).withClientHints(), an attacker can cause the parser to spend excessive CPU time due to catastrophic backtracking in the device regex:

/ ([\w ]+) miui\/v?\d/i

Unlike when using the User-Agent value, which has a hard limit of UA_MAX_LENGTH = 500, when using Client Hints, values are copied without a length limit before being passed into regex parsing.

References

github.com/advisories/GHSA-9h5v-pfqq-x599
github.com/faisalman/ua-parser-js/security/advisories/GHSA-9h5v-pfqq-x599
nvd.nist.gov/vuln/detail/CVE-2026-48125

Code Behaviors & Features

Detect and mitigate CVE-2026-48125 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →