Description
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. This has been patched in uap-core 0.7.3.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/ua-parser/uap-core/security/advisories/GHSA-cmcx-xhr8-3w9p
Scores
CVSS v3
5.7
EPSS
0.0080
EPSS Percentile
74.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Details
CWE
CWE-1333
CWE-20
Status
published
Products (3)
npm/uap-core
0 - 0.7.3npm
rubygems/user_agent_parser
0 - 2.6.0RubyGems
uap-core_project/uap-core
< 0.7.3
Published
Feb 21, 2020
Tracked Since
Feb 18, 2026