Node.js third-party modules: XSS in express-useragent through HTTP User-Agent

ID H1:362702
Type hackerone
Reporter ibrahimd
Modified 2018-07-06T13:34:36



I would like to report an XSS in express-useragent module due a lack of validating User-Agent header. Please note I already created an Github issue and asked for CVE ( CVE-2018-9863). I did not know about Node.js third-party modules on hackerone.


express-useragent is simple NodeJS/ExpressJS middleware exposing User-Agent details to your application and views. Basically it parses User-Agent and return it in structured JSON format.

The issue

while parsing User-Agent there are no escaping or sanitization mechanism. User-Agent header is controlled by the user. An attacker can craft a malicious script and inject it through the HTTP header.

Steps to reproduce

  • git clone
  • cd express-useragent
  • node test/http.js (an HTTP server should listen on 3000 tcp)
  • curl "http://localhost:3000" -H 'User-Agent: <script>alert("XSS")</script>' > poc.html
  • open poc.html with your favorite web browser
  • you should see an alertbox popup

Proof of concept (screenshots)

{F305913} {F305914}

Proof of concept with a fix (video) {F305912}


Correctly escape and sanitize user input ( HTTP User-Agent ). Please note I proposed a fix in the video


An attacker could execute javascript code that could lead to XSS.