Esta página ainda não foi traduzida para o seu idioma. Exibindo conteúdo em inglês enquanto trabalhamos nisso.
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2017-16030: ReDoS in useragent Node.js Module
Plataforma
nodejs
Componente
useragent
Corrigido em
2.1.13
CVE-2017-16030 describes a regular expression denial of service (ReDoS) vulnerability found in the useragent Node.js module. This vulnerability allows an attacker to exhaust server resources by sending a malformed, excessively long User-Agent header, resulting in a denial of service. The vulnerability affects versions of useragent prior to 2.1.13 and a fix is available in version 2.1.13.
Impacto e Cenários de Ataquetraduzindo…
The primary impact of CVE-2017-16030 is a denial of service (DoS). An attacker can exploit this vulnerability by crafting a User-Agent header containing a very long string designed to trigger an exponential increase in the time required for the regular expression engine to parse it. This leads to excessive CPU consumption on the server, potentially crashing the application or making it unresponsive to legitimate requests. The blast radius is limited to the application using the useragent module; however, if the application is critical to business operations, the impact can be significant. The provided proof-of-concept demonstrates how a long string appended to a User-Agent header can trigger this behavior.
Contexto de Exploraçãotraduzindo…
CVE-2017-16030 was published on July 24, 2018. While no active campaigns targeting this specific vulnerability have been publicly reported, ReDoS vulnerabilities are generally considered easily exploitable. There are no indications this is on KEV or has an EPSS score. Public proof-of-concept code is available, demonstrating the ease of exploitation. The vulnerability's simplicity makes it a potential target for automated scanning and exploitation.
Inteligência de Ameaças
Status do Exploit
EPSS
0.43% (percentil 63%)
Linha do tempo
- Publicada
- Modificada
- EPSS atualizado
Mitigação e Soluções Alternativastraduzindo…
The recommended mitigation for CVE-2017-16030 is to upgrade the useragent module to version 2.1.13 or later. This version includes a fix that prevents the ReDoS vulnerability. If upgrading is not immediately feasible, consider implementing input validation on the User-Agent header to limit its length. Web application firewalls (WAFs) configured to detect and block excessively long headers can also provide a temporary layer of protection. After upgrading, confirm the fix by attempting to parse a long, crafted User-Agent header and verifying that CPU usage remains within acceptable limits.
Como corrigirtraduzindo…
Nenhum patch oficial disponível. Procure alternativas ou monitore atualizações.
Perguntas frequentestraduzindo…
What is CVE-2017-16030 — ReDoS in useragent Node.js Module?
CVE-2017-16030 is a denial of service vulnerability in the useragent Node.js module. A specially crafted User-Agent header can cause excessive CPU usage, leading to a DoS. It affects versions before 2.1.13.
Am I affected by CVE-2017-16030 in useragent Node.js Module?
You are affected if your Node.js application uses the useragent module and is running a version prior to 2.1.13. Check your project dependencies using npm list useragent.
How do I fix CVE-2017-16030 in useragent Node.js Module?
Upgrade the useragent module to version 2.1.13 or later using npm install useragent@latest. Consider input validation on User-Agent headers as a temporary measure.
Is CVE-2017-16030 being actively exploited?
While no active campaigns have been publicly reported, the vulnerability is easily exploitable and could be targeted by automated scanners.
Where can I find the official useragent advisory for CVE-2017-16030?
Refer to the useragent module's repository on GitHub for updates and advisories: https://github.com/node-useragent/useragent
Seu projeto está afetado?
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Experimente agora — sem conta
Faça upload de qualquer manifesto (composer.lock, package-lock.json, lista de plugins WordPress…) ou cole sua lista de componentes. Receba um relatório de vulnerabilidades instantaneamente. Fazer upload de um arquivo é só o começo: com uma conta, você obtém monitoramento contínuo, alertas por Slack/email, relatórios multiprojeto e white-label.
Arraste e solte seu arquivo de dependências
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...