Regular Expression Denial of Service (ReDoS) [HIGH SEVERITY]

[vvscode]

Regular Expression Denial of Service (ReDoS)
Vulnerable module: useragent
Introduced through: useragent@2.3.0
Detailed paths
Introduced through: useragent@2.3.0
Overview
useragent allows you to parse user agent string with high accuracy by using hand tuned dedicated regular expressions for browser matching.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when passing long user-agent strings.

This is due to incomplete fix for this vulnerability: https://snyk.io/vuln/SNYK-JS-USERAGENT-11000.

An attempt to fix the vulnerability has been pushed to master.

https://snyk.io/vuln/SNYK-JS-USERAGENT-11000

[daKmoR]

just got the same report 😿

it seems to be already fixed on master? 🎉

would it be possible to release a new version 🤗 pretty please 🤗

[mastermatt]

@3rd-Eden is this on your radar by chance?

[daKmoR]

friendly reminder 🤗

[vvscode]

as temporary solution I've added

app.use((req, res, next) => {
  req.headers['user-agent'] = `${req.headers['user-agent']}`.substr(0, 150);
  next();
});

[vvscode]

@3rd-Eden ping

[vvscode]

https://twitter.com/vvscode/status/1158378665555746821

[jfurler]

Friendly bump @3rd-Eden. We'd really appreciate a release, if that would fix the issue.

[ccapiaux]

@3rd-Eden do you have an update on the fix? (https://twitter.com/vvscode/status/1158378665555746821)

[ccapiaux]

as temporary solution I've added

app.use((req, res, next) => {
  req.headers['user-agent'] = `${req.headers['user-agent']}`.substr(0, 150);
  next();
});

Is this the only alternative / workaround for now? Has anyone considered either 1. releasing the fix separately or 2. using an alternative library?

Side:

An attempt to fix the vulnerability has been pushed to master.

Is @3rd-Eden the only contributor who can release a fixed version? @davidkwan95 and @ChALkeR I see you both have contributed to the repository in 2019.

Thanks a lot in advance for future replies! :)

[mitermayer]

Can someone fork this and apply this patch ?

[huntr-helper]

Bug Bounty

We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded 💰? Go to https://huntr.dev/

We will submit a pull request directly to your repository with the fix as soon as possible. Want to learn more? Go to https://github.com/418sec/huntr 📚

Automatically generated by @huntr-helper...

[yahanvesh]

Hi team, its more than a year since no update for the fix, can someone suggest an alternative for this module?

[vvscode]

I continue using it, just added a patch with https://github.com/ds300/patch-package

[liamcmitchell-sc]

The uap-core library of regexes that this is built on continue to be updated: ua-parser/uap-core#495
This project is already set up to download the latest regexes, nothing more we can do here.

Alternatives:

• ua-parser-js, bowser, detect-browser - different regexes and data structures
• uap-ref-impl - uses same regex source so should produce similar data, requires glue code like this to load and parse the regex yaml