CVE-2022-25927
HIGH7.5EPSS 1.5%ReDoS Vulnerability in ua-parser-js version
描述
### Description: A regular expression denial of service (ReDoS) vulnerability has been discovered in `ua-parser-js`. ### Impact: This vulnerability bypass the library's `MAX_LENGTH` input limit prevention. By crafting a very-very-long user-agent string with specific pattern, an attacker can turn the script to get stuck processing for a very long time which results in a denial of service (DoS) condition. ### Affected Versions: From version `0.7.30` to before versions `0.7.33` / `1.0.33`. ### Patches: A patch has been released to remove the vulnerable regular expression, update to version `0.7.33` / `1.0.33` or later. ### References: [Regular expression Denial of Service - ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) ### Credits: Thanks to @Snyk who first reported the issue.
受影響套件(2)
- Debian/node-ua-parser-jsfrom 0
- npm/ua-parser-js>= 0.7.30, < 0.7.33
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-25927
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-25927
- PATCHhttps://github.com/faisalman/ua-parser-js
- WEBhttps://github.com/faisalman/ua-parser-js/commit/a6140a17dd0300a35cfc9cff999545f267889411
- WEBhttps://github.com/faisalman/ua-parser-js/security/advisories/GHSA-fhg7-m89q-25r3
- WEBhttps://security.snyk.io/vuln/SNYK-JS-UAPARSERJS-3244450