此页面尚未翻译为您的语言。我们正在努力翻译,目前显示英文内容。
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2017-16030: ReDoS in useragent Node.js Module
平台
nodejs
组件
useragent
修复版本
2.1.13
CVE-2017-16030 describes a regular expression denial of service (ReDoS) vulnerability found in the useragent Node.js module. This vulnerability allows an attacker to exhaust server resources by sending a malformed, excessively long User-Agent header, resulting in a denial of service. The vulnerability affects versions of useragent prior to 2.1.13 and a fix is available in version 2.1.13.
影响与攻击场景翻译中…
The primary impact of CVE-2017-16030 is a denial of service (DoS). An attacker can exploit this vulnerability by crafting a User-Agent header containing a very long string designed to trigger an exponential increase in the time required for the regular expression engine to parse it. This leads to excessive CPU consumption on the server, potentially crashing the application or making it unresponsive to legitimate requests. The blast radius is limited to the application using the useragent module; however, if the application is critical to business operations, the impact can be significant. The provided proof-of-concept demonstrates how a long string appended to a User-Agent header can trigger this behavior.
利用背景翻译中…
CVE-2017-16030 was published on July 24, 2018. While no active campaigns targeting this specific vulnerability have been publicly reported, ReDoS vulnerabilities are generally considered easily exploitable. There are no indications this is on KEV or has an EPSS score. Public proof-of-concept code is available, demonstrating the ease of exploitation. The vulnerability's simplicity makes it a potential target for automated scanning and exploitation.
威胁情报
漏洞利用状态
EPSS
0.43% (63% 百分位)
时间线
- 发布日期
- 修改日期
- EPSS 更新日期
缓解措施和替代方案翻译中…
The recommended mitigation for CVE-2017-16030 is to upgrade the useragent module to version 2.1.13 or later. This version includes a fix that prevents the ReDoS vulnerability. If upgrading is not immediately feasible, consider implementing input validation on the User-Agent header to limit its length. Web application firewalls (WAFs) configured to detect and block excessively long headers can also provide a temporary layer of protection. After upgrading, confirm the fix by attempting to parse a long, crafted User-Agent header and verifying that CPU usage remains within acceptable limits.
修复方法翻译中…
暂无官方补丁。请查找临时解决方案或持续关注更新。
常见问题翻译中…
What is CVE-2017-16030 — ReDoS in useragent Node.js Module?
CVE-2017-16030 is a denial of service vulnerability in the useragent Node.js module. A specially crafted User-Agent header can cause excessive CPU usage, leading to a DoS. It affects versions before 2.1.13.
Am I affected by CVE-2017-16030 in useragent Node.js Module?
You are affected if your Node.js application uses the useragent module and is running a version prior to 2.1.13. Check your project dependencies using npm list useragent.
How do I fix CVE-2017-16030 in useragent Node.js Module?
Upgrade the useragent module to version 2.1.13 or later using npm install useragent@latest. Consider input validation on User-Agent headers as a temporary measure.
Is CVE-2017-16030 being actively exploited?
While no active campaigns have been publicly reported, the vulnerability is easily exploitable and could be targeted by automated scanners.
Where can I find the official useragent advisory for CVE-2017-16030?
Refer to the useragent module's repository on GitHub for updates and advisories: https://github.com/node-useragent/useragent
立即试用 — 无需账户
上传任何清单文件 (composer.lock, package-lock.json, WordPress 插件列表…) 或粘贴您的组件列表。您立即获得一份漏洞报告。上传文件只是开始:拥有账户后,您将获得持续监控、Slack/电子邮件警报、多项目和白标报告。
拖放您的依赖文件
composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...