Resource exhaustion in UAParser.js - CVE-2017-16086
Published: May 11, 2020
Vulnerability identifier: #VU27690
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:A/U:Green
CVE-ID: CVE-2017-16086
CWE-ID: CWE-400
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: Faisal Salman
Affected software:
UAParser.js
UAParser.js
Detailed vulnerability description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when parsing regular expressions.A remote attacker can pass a very long UserAgent header to the application and trigger a Regular Expression Denial of Service (ReDoS).
Server-side applications that use "ua-parser-js" for parsing the browser user-agent string will be vulnerable if they call the "getOS" or "getResult" functions.
How to mitigate CVE-2017-16086
Install updates from vendor's website.