Plataforma
nodejs
Componente
ua-parser
Corregido en
0.3.6
CVE-2017-16086 describes a regular expression denial of service (ReDoS) vulnerability affecting versions of ua-parser up to and including 0.3.5. An attacker can exploit this by sending a specially crafted User-Agent header, leading to excessive CPU consumption and potential denial of service. Currently, no official patch is available for this vulnerability, requiring alternative mitigation strategies.
The primary impact of CVE-2017-16086 is denial of service. A malicious actor can craft a User-Agent string that, when processed by the vulnerable ua-parser library, causes the regular expression engine to enter an exponential state, consuming significant CPU resources. This can effectively halt the application or server processing requests, rendering it unavailable to legitimate users. The blast radius is limited to the application utilizing the ua-parser library; however, if the application is critical, the impact can be substantial. Similar ReDoS vulnerabilities have been observed in other regular expression-heavy applications, demonstrating the potential for widespread impact if not addressed.
CVE-2017-16086 was published on July 24, 2018. There is no indication of this vulnerability being actively exploited in the wild. It is not listed on CISA’s Known Exploited Vulnerabilities catalog (KEV) and has a low EPSS score, suggesting a low probability of exploitation. Public proof-of-concept (POC) code exists demonstrating the ReDoS condition, making exploitation relatively straightforward for attackers with the necessary knowledge.
Estado del Exploit
EPSS
57.77% (98% percentil)
Due to the absence of a direct patch, mitigation for CVE-2017-16086 focuses on avoidance and alternative solutions. The recommended approach is to cease using the vulnerable ua-parser package entirely. Consider migrating to a functionally equivalent package, such as useragent from npm, which has been vetted for similar vulnerabilities. If complete removal is not immediately feasible, implement input validation on the User-Agent header to reject strings exceeding a reasonable length or containing suspicious patterns. While not a complete solution, this can reduce the likelihood of exploitation. Regularly review dependencies and update them to the latest versions to minimize exposure to known vulnerabilities.
Sin parche oficial disponible. Busca alternativas o monitorea actualizaciones.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2017-16086 is a regular expression denial of service (ReDoS) vulnerability in ua-parser versions up to 0.3.5. A crafted User-Agent header can cause excessive CPU usage, leading to denial of service.
You are affected if your application uses ua-parser version 0.3.5 or earlier. Check your project's dependencies to determine if you are using a vulnerable version.
There is no official patch. The recommended fix is to avoid using the vulnerable package and migrate to an alternative like useragent or implement input validation on User-Agent headers.
There is no public evidence of CVE-2017-16086 being actively exploited in the wild, but POC code exists, making exploitation possible.
While a formal advisory from the ua-parser project is limited, information about the vulnerability can be found on the NVD website: https://nvd.nist.gov/vuln/detail/CVE-2017-16086
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.