Description
Affected versions of useragent are vulnerable to regular expression denial of service when an arbitrarily long User-Agent header is parsed.
Recommendation
Update the useragent package to the latest compatible version. Followings are version details:
- Affected version(s): <= 2.1.12
- Patched version(s): 2.1.13
References
Related Issues
- method-override ReDoS when untrusted user input passed into X-HTTP-Method-Override header - CVE-2017-16136
- ReDoS via long string of semicolons in tough-cookie - CVE-2016-1000232
- Astro has Full-Read SSRF in error rendering via Host: header injection - CVE-2026-25545
- Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain - CVE-2026-40175
You might also like:
- Tags:
- npm
- useragent
Anything's wrong? Let us know Last updated on September 06, 2023


