CVE-2022-25927
ADVISORY - githubSummary
Description:
A regular expression denial of service (ReDoS) vulnerability has been discovered in ua-parser-js.
Impact:
This vulnerability bypass the library's MAX_LENGTH input limit prevention. By crafting a very-very-long user-agent string with specific pattern, an attacker can turn the script to get stuck processing for a very long time which results in a denial of service (DoS) condition.
Affected Versions:
From version 0.7.30 to before versions 0.7.33 / 1.0.33.
Patches:
A patch has been released to remove the vulnerable regular expression, update to version 0.7.33 / 1.0.33 or later.
References:
Regular expression Denial of Service - ReDoS
Credits:
Thanks to @Snyk who first reported the issue.
EPSS Score: 0.01372 (0.796)
Common Weakness Enumeration (CWE)
ADVISORY - nist
Inefficient Regular Expression Complexity
ADVISORY - github
ADVISORY - gitlab
ADVISORY - gitlab
ADVISORY - redhat
Inefficient Regular Expression Complexity
NIST
CREATED
UPDATED
ADVISORY IDCVE-2022-25927
EXPLOITABILITY SCORE
3.9
EXPLOITS FOUND
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
5.3mediumGitHub
CVSS SCORE
7.5highDebian
CREATED
UPDATED
ADVISORY IDCVE-2022-25927
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Ubuntu
CREATED
UPDATED
ADVISORY IDCVE-2022-25927
EXPLOITABILITY SCORE
3.9
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
CVSS SCORE
7.5mediumRed Hat
CREATED
UPDATED
ADVISORY IDCVE-2022-25927
EXPLOITABILITY SCORE
3.9
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
7.5mediumintheWild
CREATED
UPDATED
ADVISORY IDCVE-2022-25927
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-