Esta página aún no ha sido traducida a tu idioma. Mostrando contenido en inglés mientras trabajamos en ello.
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2017-16030: ReDoS in useragent Node.js Module
Plataforma
nodejs
Componente
useragent
Corregido en
2.1.13
CVE-2017-16030 describes a regular expression denial of service (ReDoS) vulnerability found in the useragent Node.js module. This vulnerability allows an attacker to exhaust server resources by sending a malformed, excessively long User-Agent header, resulting in a denial of service. The vulnerability affects versions of useragent prior to 2.1.13 and a fix is available in version 2.1.13.
Impacto y Escenarios de Ataquetraduciendo…
The primary impact of CVE-2017-16030 is a denial of service (DoS). An attacker can exploit this vulnerability by crafting a User-Agent header containing a very long string designed to trigger an exponential increase in the time required for the regular expression engine to parse it. This leads to excessive CPU consumption on the server, potentially crashing the application or making it unresponsive to legitimate requests. The blast radius is limited to the application using the useragent module; however, if the application is critical to business operations, the impact can be significant. The provided proof-of-concept demonstrates how a long string appended to a User-Agent header can trigger this behavior.
Contexto de Explotacióntraduciendo…
CVE-2017-16030 was published on July 24, 2018. While no active campaigns targeting this specific vulnerability have been publicly reported, ReDoS vulnerabilities are generally considered easily exploitable. There are no indications this is on KEV or has an EPSS score. Public proof-of-concept code is available, demonstrating the ease of exploitation. The vulnerability's simplicity makes it a potential target for automated scanning and exploitation.
Inteligencia de Amenazas
Estado del Exploit
EPSS
0.43% (63% percentil)
Cronología
- Publicada
- Modificada
- EPSS actualizado
Mitigación y Workaroundstraduciendo…
The recommended mitigation for CVE-2017-16030 is to upgrade the useragent module to version 2.1.13 or later. This version includes a fix that prevents the ReDoS vulnerability. If upgrading is not immediately feasible, consider implementing input validation on the User-Agent header to limit its length. Web application firewalls (WAFs) configured to detect and block excessively long headers can also provide a temporary layer of protection. After upgrading, confirm the fix by attempting to parse a long, crafted User-Agent header and verifying that CPU usage remains within acceptable limits.
Cómo corregirlotraduciendo…
Sin parche oficial disponible. Busca alternativas o monitorea actualizaciones.
Preguntas frecuentestraduciendo…
What is CVE-2017-16030 — ReDoS in useragent Node.js Module?
CVE-2017-16030 is a denial of service vulnerability in the useragent Node.js module. A specially crafted User-Agent header can cause excessive CPU usage, leading to a DoS. It affects versions before 2.1.13.
Am I affected by CVE-2017-16030 in useragent Node.js Module?
You are affected if your Node.js application uses the useragent module and is running a version prior to 2.1.13. Check your project dependencies using npm list useragent.
How do I fix CVE-2017-16030 in useragent Node.js Module?
Upgrade the useragent module to version 2.1.13 or later using npm install useragent@latest. Consider input validation on User-Agent headers as a temporary measure.
Is CVE-2017-16030 being actively exploited?
While no active campaigns have been publicly reported, the vulnerability is easily exploitable and could be targeted by automated scanners.
Where can I find the official useragent advisory for CVE-2017-16030?
Refer to the useragent module's repository on GitHub for updates and advisories: https://github.com/node-useragent/useragent
¿Tu proyecto está afectado?
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Pruébalo ahora — sin cuenta
Sube cualquier manifiesto (composer.lock, package-lock.json, lista de plugins WordPress…) o pega tu lista de componentes. Recibís un reporte de vulnerabilidades al instante. Subir un archivo es solo el primer paso: con una cuenta tenés monitoreo continuo, alertas en tu canal, multi-proyecto y reportes white-label.
Arrastra y suelta tu archivo de dependencias
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...