Description
The npm package ua-parser-js had three versions published with malicious code. Users of affected versions (0.7.29, 0.8.0, 1.0.0) should upgrade as soon as possible and check their systems for suspicious activity. See this issue for details as they unfold.
Recommendation
Update the ua-parser-js package to the latest compatible version. Followings are version details:
Affected version(s): **= 1.0.0 = 0.8.0 = 0.7.29** Patched version(s): **1.0.1 0.8.1 0.7.30**
References
Related Issues
- Regular Expression Denial of Service (ReDoS) in ua-parser-js - CVE-2021-27292
- ua-parser-js Regular Expression Denial of Service vulnerability - CVE-2020-7793
- Cross-site Scripting in curly-bracket-parser - CVE-2021-23416
- Regular Expression Denial of Service in ua-parser-js - CVE-2020-7733
- Tags:
- npm
- ua-parser-js
Anything's wrong? Let us know Last updated on February 17, 2026