ReDoS via long UserAgent header

2017-08-29T16:44:27
ID NODEJS:316
Type nodejs
Reporter Adam Baldwin
Modified 2018-05-08T14:27:01

Description

Overview

Affected versions of ua-parser are vulnerable to regular expression denial of service when given a specially crafted User-Agent header.

Recommendation

No patch is currently available for this vulnerability.

The best mitigation is currently to avoid using this package, using a different, functionally equivalent package such as useragent.