CVE-2026-48125
UAParser.js: Unbounded `Sec-CH-UA-Model` parsing can trigger ReDoS in `withClientHints()`
描述
### Summary A regular expression denial-of-service (ReDoS) vulnerability has been discovered in `ua-parser-js` when using the Client Hints API. By sending a crafted `Sec-CH-UA-Model` header to an application that calls `UAParser(headers).withClientHints()`, an attacker can cause the parser to spend excessive CPU time due to catastrophic backtracking in the device [regex](https://github.com/faisalman/ua-parser-js/blob/2.0.9/src/main/ua-parser.js#L615): ```js / ([\w ]+) miui\/v?\d/i ``` Unlike when using the `User-Agent` value, which has a hard limit of `UA_MAX_LENGTH = 500`, when using Client Hints, values are copied without a length limit before being passed into regex parsing. ### PoC ```js const { UAParser } = require('ua-parser-js'); const headers = { 'sec-ch-ua-platform': '"Android"', 'sec-ch-ua-mobile': '?1', 'sec-ch-ua-model': '"' + 'A '.repeat(25000) + '"' }; const t0 = process.hrtime.bigint(); UAParser(headers).withClientHints(); const ms = Number(process.hrtime.bigint() - t0) / 1e6; if (ms > 100) { console.log('Potential ReDoS'); } ``` ### Impact This vulnerability allows an unauthenticated attacker to trigger a denial-of-service condition in any __server-side__ application that uses `UAParser(headers).withClientHints()`. A single request with a ~32,000-character model value can consume over 400ms of CPU time, with parsing time growing polynomially with input length. The impact is __availability__ only, there is no confidentiality or integrity impact. ### Affected Versions `ua-parser-js` versions `>=2.0.1, <=2.0.9` are affected. The `withClientHints()` API is not present in version `0.7.x` or `1.x`. ### Patches A patch has been released to fix the vulnerable regular expression and limit the Client Hints input. Users should update to version `2.0.10` or later. ### References - [Regular expression Denial of Service - ReDoS (OWASP)](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) ### Credits Thanks to [@sondt99](https://github.com/sondt99), who first reported the issue.
如何修補 CVE-2026-48125
要修補 CVE-2026-48125,請將受影響套件升級到下列已修補版本。
- —升級至 2.0.10 或更新版本
CVE-2026-48125 正在被利用嗎?
目前沒有被利用訊號。CVE-2026-48125 既不在 CISA KEV 也沒有最新的 EPSS 分數。