UBUNTU-CVE-2026-48125

Source
https://ubuntu.com/security/CVE-2026-48125
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-48125.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-48125
Upstream
Published
2026-07-14T21:16:00Z
Modified
2026-07-15T19:48:19.657537808Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

UAParser.js is a JavaScript library to detect browsers, operating systems, CPUs, and devices from user-agent data. From 2.0.1 until 2.0.10, a regular expression denial-of-service vulnerability exists when using the Client Hints API. By sending a crafted Sec-CH-UA-Model header to an application that calls UAParser(headers).withClientHints(), an attacker can cause excessive CPU time due to catastrophic backtracking in the device regex because Client Hints values are copied without the UAMAXLENGTH limit used for User-Agent values. This issue is fixed in version 2.0.10.

References

Affected packages

Ubuntu:18.04:LTS / node-ua-parser-js

Package

Name
node-ua-parser-js
Purl
pkg:deb/ubuntu/node-ua-parser-js?arch=source&distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.7.14-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "node-ua-parser-js",
            "binary_version": "0.7.14-1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-48125.json"

Ubuntu:20.04:LTS / node-ua-parser-js

Package

Name
node-ua-parser-js
Purl
pkg:deb/ubuntu/node-ua-parser-js?arch=source&distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.7.14-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "node-ua-parser-js",
            "binary_version": "0.7.14-1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-48125.json"

Ubuntu:22.04:LTS / node-ua-parser-js

Package

Name
node-ua-parser-js
Purl
pkg:deb/ubuntu/node-ua-parser-js?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.7.24+ds-1
0.7.24+ds-2
0.7.31+ds+~0.7.36-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "node-ua-parser-js",
            "binary_version": "0.7.31+ds+~0.7.36-1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-48125.json"

Ubuntu:24.04:LTS / node-ua-parser-js

Package

Name
node-ua-parser-js
Purl
pkg:deb/ubuntu/node-ua-parser-js?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.8.1+ds+~0.7.36-3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "node-ua-parser-js",
            "binary_version": "0.8.1+ds+~0.7.36-3"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-48125.json"

Ubuntu:26.04:LTS / node-ua-parser-js

Package

Name
node-ua-parser-js
Purl
pkg:deb/ubuntu/node-ua-parser-js?arch=source&distro=resolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.8.1+ds+~0.7.36-3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "node-ua-parser-js",
            "binary_version": "0.8.1+ds+~0.7.36-3"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-48125.json"