Regular Expression Denial of Service (ReDoS)

Affecting useragent package, versions <2.1.12

high severity

Overview

useragent allows you to parse user agent string with high accuracy by using hand tuned dedicated regular expressions for browser matching.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. A malicious user could cause the server to block by editing the request headers with an arbitrarily long useragent string.

Remediation

Update useragent to version 2.1.12 or higher.

References

Credit
Mathias Madsen
CWE
CWE-400
Snyk ID
npm:useragent:20170206
Disclosed
06 Feb, 2017
Published
16 Apr, 2017

Do your applications use this vulnerable package?