[ua-parser-js] ReDoS Vulnerability in ua-parser-js version

Description:

A regular expression denial of service (ReDoS) vulnerability has been discovered in ua-parser-js.

Impact:

This vulnerability bypass the library’s MAX_LENGTH input limit prevention. By crafting a very-very-long user-agent string with specific pattern, an attacker can turn the script to get stuck processing for a very long time which results in a denial of service (DoS) condition.

Affected Versions:

All versions of the library prior to version 0.7.33 / 1.0.33.

Patches:

A patch has been released to remove the vulnerable regular expression, update to version 0.7.33 / 1.0.33 or later.

References:

Regular expression Denial of Service – ReDoS

Credits:

Thanks to @Snyk who first reported the issue.

References

https://github.com/faisalman/ua-parser-js/security/advisories/GHSA-fhg7-m89q-25r3
https://github.com/faisalman/ua-parser-js/commit/a6140a17dd0300a35cfc9cff999545f267889411
https://nvd.nist.gov/vuln/detail/CVE-2022-25927
https://security.snyk.io/vuln/SNYK-JS-UAPARSERJS-3244450
https://github.com/advisories/GHSA-fhg7-m89q-25r3

TechMedia