GHSA-pcqq-5962-hvcw: Denial of Service in uap-core when processing crafted User-Agent strings

March 10, 2020 (updated May 22, 2025)

Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings.

References

github.com/advisories/GHSA-pcqq-5962-hvcw
github.com/rubysec/ruby-advisory-db/blob/master/gems/user_agent_parser/GHSA-pcqq-5962-hvcw.yml
github.com/ua-parser/uap-ruby/commit/2bb18268f4c5ba7d4ba0e21c296bf6437063da3a
github.com/ua-parser/uap-ruby/security/advisories/GHSA-pcqq-5962-hvcw

Code Behaviors & Features

Detect and mitigate GHSA-pcqq-5962-hvcw with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →