ua-parser-js security vulnerability

Question

ua-parser-js security vulnerability

tomxhu opened this issue 6 years ago · 2 comments

https://nvd.nist.gov/vuln/detail/CVE-2017-16086

There seems to be a ReDoS issue with this library that is used here in fbjs: https://github.com/facebook/fbjs/blob/d308fa83c99c93e8e588de3396cf55b31e56b14e/packages/fbjs/src/__forks__/UserAgentData.js

There's no patch for ua-parser-js right now and they suggest migrating to https://www.npmjs.com/package/useragent

Answer 1 · 2018-10-31T16:00:29.000Z

Hi @tomxhu , while it's true that ua-parser-js had experienced a ReDoS issue, it has been fixed in v0.7.18 (see #291). The ua-parser library mentioned in the article is a different library with similar name which hasn't been updated for 4 years (hence why it's advised to migrate). However, if you still found another ReDoS vulnerability in ua-parser-js please feel free to open a new issue here.

Answer 2 · 2018-12-18T00:01:27.000Z

#291 addressed our usage.