Ua Parser Jsproject Ua Parser Js

ua-parser-js ReDoS via trim() in v0.7.30-0.7.33 & 0.8.1-1.0.33
CVE-2022-25927 7.5 - High - January 26, 2023

Versions of the package ua-parser-js from 0.7.30 and before 0.7.33, from 0.8.1 and before 1.0.33 are vulnerable to Regular Expression Denial of Service (ReDoS) via the trim() function.

ReDoS

A vulnerability was found in ua-parser-js 0.7.29/0.8.0/1.0.0
CVE-2021-4229 8.8 - High - May 24, 2022

A vulnerability was found in ua-parser-js 0.7.29/0.8.0/1.0.0. It has been rated as critical. This issue affects the crypto mining component which introduces a backdoor. Upgrading to version 0.7.30, 0.8.1 and 1.0.1 is able to address this issue. It is recommended to upgrade the affected component.

Inclusion of Functionality from Untrusted Control Sphere

ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service
CVE-2021-27292 7.5 - High - March 17, 2021

ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.

The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).
CVE-2020-7793 7.5 - High - December 11, 2020

The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).

The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS)
CVE-2020-7733 7.5 - High - September 16, 2020

The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.

Resource Exhaustion