CVE-2022-25927

MEDIUM

ua-parser-js 0.7.30-0.7.32 and 0.8.1-1.0.32 - Regular Expression Denial of Service via trim() Function

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2022-25927. PoCs published by Sleuth-in-town, masahiro331.

AI-analyzed exploit summary This PoC demonstrates CVE-2022-25927, a ReDoS vulnerability in the 'ua-parser-js' library. It creates an HTTP server that parses User-Agent strings, triggering excessive backtracking in the regex engine, leading to denial of service.

Description

Versions of the package ua-parser-js from 0.7.30 and before 0.7.33, from 0.8.1 and before 1.0.33 are vulnerable to Regular Expression Denial of Service (ReDoS) via the trim() function.

Exploits (2)

nomisec WORKING POC

by Sleuth-in-town · poc

https://github.com/Sleuth-in-town/CVE-2022-25927-test

View Code ZIP pw:eip

This PoC demonstrates CVE-2022-25927, a ReDoS vulnerability in the 'ua-parser-js' library. It creates an HTTP server that parses User-Agent strings, triggering excessive backtracking in the regex engine, leading to denial of service.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: ua-parser-js (versions before 1.0.2)

No auth needed

Prerequisites: Node.js environment · ua-parser-js library installed

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Apr 10, 2026 Full analysis →

nomisec WORKING POC

by masahiro331 · poc

https://github.com/masahiro331/cve-2022-25927

View Code ZIP pw:eip

This PoC demonstrates CVE-2022-25927, a ReDoS vulnerability in ua-parser-js. It exploits inefficient regex handling by sending a maliciously crafted User-Agent string with excessive repetition, causing denial-of-service.

Classification

Working Poc 90%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: ua-parser-js v1.0.32

No auth needed

Prerequisites: Node.js environment · ua-parser-js dependency

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Patch, Third Party Advisory

https://github.com/faisalman/ua-parser-js/commit/a6140a17dd0300a35cfc9cff999545f267889411

View Patch ZIP pw:eip

Exploit, Third Party Advisory

https://security.snyk.io/vuln/SNYK-JS-UAPARSERJS-3244450

Scores

CVSS v3 5.3

EPSS 0.0145

EPSS Percentile 81.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-1333

Status published

Products (2)

npm/ua-parser-js 0.7.30 - 0.7.33npm

ua-parser-js_project/ua-parser-js 0.7.30 - 0.7.33

Published Jan 26, 2023

Tracked Since Feb 18, 2026