このページはまだあなたの言語に翻訳されていません。翻訳作業中のため、英語でコンテンツを表示しています。
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2017-16030: ReDoS in useragent Node.js Module
プラットフォーム
nodejs
コンポーネント
useragent
修正版
2.1.13
CVE-2017-16030 describes a regular expression denial of service (ReDoS) vulnerability found in the useragent Node.js module. This vulnerability allows an attacker to exhaust server resources by sending a malformed, excessively long User-Agent header, resulting in a denial of service. The vulnerability affects versions of useragent prior to 2.1.13 and a fix is available in version 2.1.13.
影響と攻撃シナリオ翻訳中…
The primary impact of CVE-2017-16030 is a denial of service (DoS). An attacker can exploit this vulnerability by crafting a User-Agent header containing a very long string designed to trigger an exponential increase in the time required for the regular expression engine to parse it. This leads to excessive CPU consumption on the server, potentially crashing the application or making it unresponsive to legitimate requests. The blast radius is limited to the application using the useragent module; however, if the application is critical to business operations, the impact can be significant. The provided proof-of-concept demonstrates how a long string appended to a User-Agent header can trigger this behavior.
悪用の状況翻訳中…
CVE-2017-16030 was published on July 24, 2018. While no active campaigns targeting this specific vulnerability have been publicly reported, ReDoS vulnerabilities are generally considered easily exploitable. There are no indications this is on KEV or has an EPSS score. Public proof-of-concept code is available, demonstrating the ease of exploitation. The vulnerability's simplicity makes it a potential target for automated scanning and exploitation.
脅威インテリジェンス
エクスプロイト状況
EPSS
0.43% (63% パーセンタイル)
タイムライン
- 公開日
- 更新日
- EPSS 更新日
緩和策と回避策翻訳中…
The recommended mitigation for CVE-2017-16030 is to upgrade the useragent module to version 2.1.13 or later. This version includes a fix that prevents the ReDoS vulnerability. If upgrading is not immediately feasible, consider implementing input validation on the User-Agent header to limit its length. Web application firewalls (WAFs) configured to detect and block excessively long headers can also provide a temporary layer of protection. After upgrading, confirm the fix by attempting to parse a long, crafted User-Agent header and verifying that CPU usage remains within acceptable limits.
修正方法翻訳中…
公式パッチはありません。回避策を確認するか、アップデートを監視してください。
よくある質問翻訳中…
What is CVE-2017-16030 — ReDoS in useragent Node.js Module?
CVE-2017-16030 is a denial of service vulnerability in the useragent Node.js module. A specially crafted User-Agent header can cause excessive CPU usage, leading to a DoS. It affects versions before 2.1.13.
Am I affected by CVE-2017-16030 in useragent Node.js Module?
You are affected if your Node.js application uses the useragent module and is running a version prior to 2.1.13. Check your project dependencies using npm list useragent.
How do I fix CVE-2017-16030 in useragent Node.js Module?
Upgrade the useragent module to version 2.1.13 or later using npm install useragent@latest. Consider input validation on User-Agent headers as a temporary measure.
Is CVE-2017-16030 being actively exploited?
While no active campaigns have been publicly reported, the vulnerability is easily exploitable and could be targeted by automated scanners.
Where can I find the official useragent advisory for CVE-2017-16030?
Refer to the useragent module's repository on GitHub for updates and advisories: https://github.com/node-useragent/useragent
今すぐ試す — アカウント不要
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
依存関係ファイルをドラッグ&ドロップ
composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...