Advisories for Npm/Ua-Parser-Js package

Versions of the package ua-parser-js from 0.7.30 and before 0.7.33, from 0.8.1 and before 1.0.33 is vulnerable to Regular Expression Denial of Service (ReDoS) via the trim() function.

Description: A regular expression denial of service (ReDoS) vulnerability has been discovered in ua-parser-js. Impact: This vulnerability bypass the library's MAX_LENGTH input limit prevention. By crafting a very-very-long user-agent string with specific pattern, an attacker can turn the script to get stuck processing for a very long time which results in a denial of service (DoS) condition. Affected Versions: All versions of the library prior to version 0.7.33 / 1.0.33. …

A vulnerability was found in ua-parser-js 0.7.29/0.8.0/1.0.0. It has been rated as critical. This issue affects the crypto mining component which introduces a backdoor. Upgrading to version 0.7.30, 0.8.1 and 1.0.1 is able to address this issue. It is recommended to upgrade the affected component.

This package was found to contain malicious code.

ua-parser-js uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.

The package ua-parser-js is vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes.

The package ua-parser-js is vulnerable to Regular Expression Denial of Service (ReDoS).