ua-parser-js is a lightweight JavaScript library designed for parsing user-agent strings, providing developers with a convenient way to identify browser, operating system, and device information from user requests. Comparing versions 0.7.21 and 0.7.20, the core functionality remains the same, focusing on accurate user-agent parsing. Both versions share identical developer dependencies, leveraging tools like Mocha for testing, Verup for version management, JSHint for code quality, RequireJS for modularity, and UglifyJS for minification, ensuring a consistent development and build process.
The key differences between the versions are subtle. Version 0.7.21, released on December 19, 2019, has a slightly larger unpacked size of 216084 bytes compared to version 0.7.20's 210509 bytes, which was released on June 8, 2019. This minor size increase likely indicates updated or expanded user-agent definitions or minor bug fixes to improve parsing accuracy. Developers looking for the most up-to-date user-agent definitions and potential bug fixes should opt for version 0.7.21. Furthermore, the library is licensed under the MIT license, offering flexibility in its usage across various projects. With its comprehensive user-agent parsing capabilities and active maintenance, ua-parser-js provides value to developers needing to detect user environments for analytics, content adaptation, or feature targeting.
All the vulnerabilities related to the version 0.7.21 of the package
Regular Expression Denial of Service in ua-parser-js
The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.
ua-parser-js Regular Expression Denial of Service vulnerability
The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).
Regular Expression Denial of Service (ReDoS) in ua-parser-js
ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.
ReDoS Vulnerability in ua-parser-js version
A regular expression denial of service (ReDoS) vulnerability has been discovered in ua-parser-js.
This vulnerability bypass the library's MAX_LENGTH input limit prevention. By crafting a very-very-long user-agent string with specific pattern, an attacker can turn the script to get stuck processing for a very long time which results in a denial of service (DoS) condition.
All versions of the library prior to version 0.7.33 / 1.0.33.
A patch has been released to remove the vulnerable regular expression, update to version 0.7.33 / 1.0.33 or later.
Regular expression Denial of Service - ReDoS
Thanks to @Snyk who first reported the issue.
