Description
The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).
References (5)
Core 5
Core References
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-UAPARSERJS-1023599
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1050387
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBFAISALMAN-1050388
Patch, Third Party Advisory x_refsource_misc
https://github.com/faisalman/ua-parser-js/commit/6d1f26df051ba681463ef109d36c9cf0f7e32b18
Third Party Advisory x_refsource_confirm
https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
Scores
CVSS v3
7.5
EPSS
0.0264
EPSS Percentile
85.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
Status
published
Products (4)
npm/ua-parser-js
0 - 0.7.23npm
siemens/sinec_ins
1.0 (2 CPE variants)
siemens/sinec_ins
< 1.0
ua-parser-js_project/ua-parser-js
< 0.7.23
Published
Dec 11, 2020
Tracked Since
Feb 18, 2026