CVE-2017-16030: ReDoS in useragent Node.js Module
Platform
nodejs
Component
useragent
Fixed in
2.1.13
CVE-2017-16030 describes a regular expression denial of service (ReDoS) vulnerability found in the useragent Node.js module. This vulnerability allows an attacker to exhaust server resources by sending a malformed, excessively long User-Agent header, resulting in a denial of service. The vulnerability affects versions of useragent prior to 2.1.13 and a fix is available in version 2.1.13.
Impact and Attack Scenarios
The primary impact of CVE-2017-16030 is a denial of service (DoS). An attacker can exploit this vulnerability by crafting a User-Agent header containing a very long string designed to trigger an exponential increase in the time required for the regular expression engine to parse it. This leads to excessive CPU consumption on the server, potentially crashing the application or making it unresponsive to legitimate requests. The blast radius is limited to the application using the useragent module; however, if the application is critical to business operations, the impact can be significant. The provided proof-of-concept demonstrates how a long string appended to a User-Agent header can trigger this behavior.
Exploitation Context
CVE-2017-16030 was published on July 24, 2018. While no active campaigns targeting this specific vulnerability have been publicly reported, ReDoS vulnerabilities are generally considered easily exploitable. There are no indications this is on KEV or has an EPSS score. Public proof-of-concept code is available, demonstrating the ease of exploitation. The vulnerability's simplicity makes it a potential target for automated scanning and exploitation.
Threat Intelligence
Exploit Status
EPSS
0.43% (63% percentile)
Timeline
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The recommended mitigation for CVE-2017-16030 is to upgrade the useragent module to version 2.1.13 or later. This version includes a fix that prevents the ReDoS vulnerability. If upgrading is not immediately feasible, consider implementing input validation on the User-Agent header to limit its length. Web application firewalls (WAFs) configured to detect and block excessively long headers can also provide a temporary layer of protection. After upgrading, confirm the fix by attempting to parse a long, crafted User-Agent header and verifying that CPU usage remains within acceptable limits.
How to fix
No official patch available. Check for workarounds or monitor for updates.
Frequently asked questions
What is CVE-2017-16030 — ReDoS in useragent Node.js Module?
CVE-2017-16030 is a denial of service vulnerability in the useragent Node.js module. A specially crafted User-Agent header can cause excessive CPU usage, leading to a DoS. It affects versions before 2.1.13.
Am I affected by CVE-2017-16030 in useragent Node.js Module?
You are affected if your Node.js application uses the useragent module and is running a version prior to 2.1.13. Check your project dependencies using npm list useragent.
How do I fix CVE-2017-16030 in useragent Node.js Module?
Upgrade the useragent module to version 2.1.13 or later using npm install useragent@latest. Consider input validation on User-Agent headers as a temporary measure.
Is CVE-2017-16030 being actively exploited?
While no active campaigns have been publicly reported, the vulnerability is easily exploitable and could be targeted by automated scanners.
Where can I find the official useragent advisory for CVE-2017-16030?
Refer to the useragent module's repository on GitHub for updates and advisories: https://github.com/node-useragent/useragent
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...