CVE-2022-25927

MEDIUM

Ua-parser-js < 0.7.33 - Denial of Service

Title source: rule

Description

Versions of the package ua-parser-js from 0.7.30 and before 0.7.33, from 0.8.1 and before 1.0.33 are vulnerable to Regular Expression Denial of Service (ReDoS) via the trim() function.

Exploits (2)

nomisec WORKING POC

by Sleuth-in-town · poc

https://github.com/Sleuth-in-town/CVE-2022-25927-test

View Code ZIP pw:eip

nomisec WORKING POC

by masahiro331 · poc

https://github.com/masahiro331/cve-2022-25927

View Code ZIP pw:eip

References (2)

[Patch, Third Party Advisory] https://github.com/faisalman/ua-parser-js/commit/a6140a17dd0300a35cfc9cff999545f267889411

[Exploit, Third Party Advisory] https://security.snyk.io/vuln/SNYK-JS-UAPARSERJS-3244450

Scores

CVSS v3 5.3

EPSS 0.0149

EPSS Percentile 81.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Details

CWE

CWE-1333

Status published

Products (2)

npm/ua-parser-js 0.7.30 - 0.7.33npm

ua-parser-js_project/ua-parser-js 0.7.30 - 0.7.33

Published Jan 26, 2023

Tracked Since Feb 18, 2026