I would like to report an XSS in express-useragent module due a lack of validating User-Agent header. Please note I already created an Github issue and asked for CVE ( CVE-2018-9863). I did not know about Node.js third-party modules on hackerone.
express-useragent is simple NodeJS/ExpressJS middleware exposing User-Agent details to your application and views. Basically it parses User-Agent and return it in structured JSON format.
while parsing User-Agent there are no escaping or sanitization mechanism. User-Agent header is controlled by the user. An attacker can craft a malicious script and inject it through the HTTP header.
node test/http.js(an HTTP server should listen on 3000 tcp)
curl "http://localhost:3000" -H 'User-Agent: <script>alert("XSS")</script>' > poc.html
Correctly escape and sanitize user input ( HTTP User-Agent ). Please note I proposed a fix in the video