ua-parser
修复版本
0.3.6
CVE-2017-16086 describes a regular expression denial of service (ReDoS) vulnerability affecting versions of ua-parser up to and including 0.3.5. An attacker can exploit this by sending a specially crafted User-Agent header, leading to excessive CPU consumption and potential denial of service. Currently, no official patch is available for this vulnerability, requiring alternative mitigation strategies.
The primary impact of CVE-2017-16086 is denial of service. A malicious actor can craft a User-Agent string that, when processed by the vulnerable ua-parser library, causes the regular expression engine to enter an exponential state, consuming significant CPU resources. This can effectively halt the application or server processing requests, rendering it unavailable to legitimate users. The blast radius is limited to the application utilizing the ua-parser library; however, if the application is critical, the impact can be substantial. Similar ReDoS vulnerabilities have been observed in other regular expression-heavy applications, demonstrating the potential for widespread impact if not addressed.
CVE-2017-16086 was published on July 24, 2018. There is no indication of this vulnerability being actively exploited in the wild. It is not listed on CISA’s Known Exploited Vulnerabilities catalog (KEV) and has a low EPSS score, suggesting a low probability of exploitation. Public proof-of-concept (POC) code exists demonstrating the ReDoS condition, making exploitation relatively straightforward for attackers with the necessary knowledge.
漏洞利用状态
EPSS
57.77% (98% 百分位)
Due to the absence of a direct patch, mitigation for CVE-2017-16086 focuses on avoidance and alternative solutions. The recommended approach is to cease using the vulnerable ua-parser package entirely. Consider migrating to a functionally equivalent package, such as useragent from npm, which has been vetted for similar vulnerabilities. If complete removal is not immediately feasible, implement input validation on the User-Agent header to reject strings exceeding a reasonable length or containing suspicious patterns. While not a complete solution, this can reduce the likelihood of exploitation. Regularly review dependencies and update them to the latest versions to minimize exposure to known vulnerabilities.
暂无官方补丁。请查找临时解决方案或持续关注更新。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2017-16086 is a regular expression denial of service (ReDoS) vulnerability in ua-parser versions up to 0.3.5. A crafted User-Agent header can cause excessive CPU usage, leading to denial of service.
You are affected if your application uses ua-parser version 0.3.5 or earlier. Check your project's dependencies to determine if you are using a vulnerable version.
There is no official patch. The recommended fix is to avoid using the vulnerable package and migrate to an alternative like useragent or implement input validation on User-Agent headers.
There is no public evidence of CVE-2017-16086 being actively exploited in the wild, but POC code exists, making exploitation possible.
While a formal advisory from the ua-parser project is limited, information about the vulnerability can be found on the NVD website: https://nvd.nist.gov/vuln/detail/CVE-2017-16086
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。