GHSA-pmg9-p9r2-6q87

Suggest an improvement
Source
https://github.com/advisories/GHSA-pmg9-p9r2-6q87
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-pmg9-p9r2-6q87/GHSA-pmg9-p9r2-6q87.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-pmg9-p9r2-6q87
Aliases
  • CVE-2017-16086
Published
2018-07-24T19:46:37Z
Modified
2023-11-08T03:59:04.001707Z
Summary
ReDoS via long UserAgent header in ua-parser
Details

Affected versions of ua-parser are vulnerable to regular expression denial of service when given a specially crafted User-Agent header.

Recommendation

No patch is currently available for this vulnerability.

The best mitigation is currently to avoid using this package, using a different, functionally equivalent package such as useragent.

Database specific 
{
    "cwe_ids": [
        "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:49:36Z",
    "nvd_published_at": null,
    "severity": "HIGH"
}
References

Affected packages

npm / ua-parser

Package

Name
ua-parser
View open source insights on deps.dev
Purl
pkg:npm/ua-parser

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.3.5

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-pmg9-p9r2-6q87/GHSA-pmg9-p9r2-6q87.json"