CVE-2018-20164: ReDoS

February 13, 2019 (updated October 2, 2019)

The programming library UA-Parser uses regular expressions to identify user agent strings. The complexity of some of the regular expressions is such that an attacker can craft special patterns that keep the server busy for a long time. By sending many requests in short order, an attacker can exhaust the amount of processing power available.

References

github.com/ua-parser/uap-core/pull/363/files
nvd.nist.gov/vuln/detail/CVE-2018-20164
www.openwall.com/lists/oss-security/2019/01/10/2
www.x41-dsec.de/lab/advisories/x41-2018-009-uaparser/

Detect and mitigate CVE-2018-20164 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →