CVE-2026-48125

Source
https://cve.org/CVERecord?id=CVE-2026-48125
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48125.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-48125
Aliases
Downstream
Published
2026-07-14T20:54:56.374Z
Modified
2026-07-16T03:48:20.098040090Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
UAParser.js: Unbounded `Sec-CH-UA-Model` parsing can trigger ReDoS in `withClientHints()`
Details

UAParser.js is a JavaScript library to detect browsers, operating systems, CPUs, and devices from user-agent data. From 2.0.1 until 2.0.10, a regular expression denial-of-service vulnerability exists when using the Client Hints API. By sending a crafted Sec-CH-UA-Model header to an application that calls UAParser(headers).withClientHints(), an attacker can cause excessive CPU time due to catastrophic backtracking in the device regex because Client Hints values are copied without the UAMAXLENGTH limit used for User-Agent values. This issue is fixed in version 2.0.10.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48125.json",
    "cwe_ids": [
        "CWE-1333",
        "CWE-400"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/faisalman/ua-parser-js

Affected ranges

Type
GIT
Repo
https://github.com/faisalman/ua-parser-js
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "2.0.1"
        },
        {
            "fixed": "2.0.10"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

2.*
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48125.json"