js · ua-parser-jsHeads-up
ua-parser-js ReDoS vulnerability in Client Hints API
A ReDoS vulnerability was discovered in ua-parser-js when using the Client Hints API.
What changed
A ReDoS vulnerability was discovered in ua-parser-js when using the Client Hints API. A crafted Sec-CH-UA-Model header can cause excessive CPU time due to catastrophic backtracking in the device regex.
Who it affects
Server-side applications using ua-parser-js versions >=2.0.1, <=2.0.9 that call UAParser(headers).withClientHints().
What to do today
Update ua-parser-js to version 2.0.10 or later to patch the vulnerable regex and limit Client Hints input.
The trail
Collected→
Audited→
Written→
Published