Advisories for Npm/Ua-Parser-Js package

A regular expression denial-of-service (ReDoS) vulnerability has been discovered in ua-parser-js when using the Client Hints API. By sending a crafted Sec-CH-UA-Model header to an application that calls UAParser(headers).withClientHints(), an attacker can cause the parser to spend excessive CPU time due to catastrophic backtracking in the device regex: / ([\w ]+) miui/v?\d/i Unlike when using the User-Agent value, which has a hard limit of UA_MAX_LENGTH = 500, when using Client …

Description: A regular expression denial of service (ReDoS) vulnerability has been discovered in ua-parser-js. Impact: This vulnerability bypass the library's MAX_LENGTH input limit prevention. By crafting a very-very-long user-agent string with specific pattern, an attacker can turn the script to get stuck processing for a very long time which results in a denial of service (DoS) condition. Affected Versions: From version 0.7.30 to before versions 0.7.33 / 1.0.33. Patches: A …

This advisory duplicates another.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-pjwm-rvh2-c87w. This link is maintained to preserve external references. Original Description A vulnerability was found in ua-parser-js 0.7.29/0.8.0/1.0.0. It has been rated as critical. This issue affects the crypto mining component which introduces a backdoor. Upgrading to version 0.7.30, 0.8.1 and 1.0.1 is able to address this issue. It is recommended to upgrade the affected component.

The npm package ua-parser-js had three versions published with malicious code. Users of affected versions (0.7.29, 0.8.0, 1.0.0) should upgrade as soon as possible and check their systems for suspicious activity. See this issue for details as they unfold. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The …

This advisory duplicates another.

ua-parser-js uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.

The package ua-parser-js is vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes.

The package ua-parser-js is vulnerable to Regular Expression Denial of Service (ReDoS).