CVE-2020-26311
Regular Expression Denial of Service (ReDoS) vulnerability in useragent (npm)

Regular Expression Denial of Service (ReDoS) No known exploit Fixable By Resolved Security

What is CVE-2020-26311 About?

The `useragent` package for Node.js contains a ReDoS vulnerability in all versions as of publication. Certain regular expressions within the package are susceptible to excessive backtracking when processing specially crafted, long input strings. This can lead to a denial of service (DoS) by causing the application to hang or consume excessive CPU resources. Exploitation is possible with a single malicious input.

Affected Software

useragent <=2.3.0

Technical Details

The useragent package uses regular expressions to parse user-agent strings. The vulnerability, known as Regular Expression Denial of Service (ReDoS), arises because one or more of these regular expressions are poorly constructed, making them highly inefficient when presented with specific, crafted input strings. When a malicious user-agent string, such as Mozilla/5.0 (X repeated many times ) Gecko/20100101 Firefox/77.0, is passed to the useragent.parse() method, the regex engine enters a state of catastrophic backtracking. This means the engine tries an exponentially increasing number of paths to match the string, consuming excessive CPU cycles and memory. The toString() method of the parsed agent, particularly agent.device.toString(), is demonstrated to trigger this behavior, leading to significant delays or a complete hang of the Node.js process, effectively causing a denial of service.

What is the Impact of CVE-2020-26311?

Successful exploitation may allow attackers to cause a denial of service by consuming excessive CPU resources, making the application unresponsive or crashing the server.

What is the Exploitability of CVE-2020-26311?

Exploitation is relatively straightforward, requiring an attacker to send a specially crafted, long user-agent string to an application using the useragent package for parsing. There are generally no authentication requirements; any request that causes the application to parse the User-Agent header will suffice, making it a remote attack. The primary prerequisite is that the application processes user-agent strings using the vulnerable useragent package. The risk is high as a single, unauthenticated request can lead to a denial of service, impacting availability. The provided Proof of Concept (PoC) clearly demonstrates the exploitability through a simple JavaScript snippet.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2020-26311?

A Fix by Resolved Security Exists!
See how we help you strengthen security with automated backported fixes for your libraries.

About the Fix from Resolved Security

This patch tightens and corrects several regular expressions used for parsing user-agent strings, primarily by removing ambiguous, overly broad, or optional quantifiers and by refining pattern boundaries. This directly fixes CVE-2020-26311 because the original regular expressions were vulnerable to ReDoS (Regular Expression Denial of Service) attacks, where an attacker could supply specially crafted user-agent strings that caused catastrophic backtracking and CPU exhaustion. By making the regexes stricter and more deterministic, the patch prevents malicious inputs from causing excessive computation, closing the ReDoS vulnerability.

Available Upgrade Options

  • No fixes available

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2020-26311?

Similar Vulnerabilities: CVE-2020-7754 , CVE-2022-24434 , CVE-2022-25925 , CVE-2023-26136 , CVE-2021-43809

All Rights reserved 2025
Privacy Policy