CVE-2020-7733
Regular Expression Denial of Service (ReDoS) vulnerability in ua-parser-js (npm)
What is CVE-2020-7733 About?
The `ua-parser-js` package before 0.7.22 is vulnerable to Regular Expression Denial of Service (ReDoS). A specially crafted user agent string containing specific patterns for Redmi Phones and Mi Pad Tablets can consume excessive CPU resources. This can lead to a denial of service, making the server unresponsive, and exploitation is relatively straightforward by submitting a malicious user agent string.
Affected Software
Technical Details
The ua-parser-js package, prior to version 0.7.22, uses a regular expression to identify user agents for Redmi Phones and Mi Pad Tablets. This regular expression is poorly constructed, exhibiting 'catastrophic backtracking' when processing certain challenging inputs. An attacker can craft a malicious user agent string that, when matched against this vulnerable regex, causes the regex engine to backtrack an excessive number of times, consuming an exponential amount of CPU time. This prolonged computation ties up server resources, preventing it from processing legitimate requests and leading to a denial of service.
What is the Impact of CVE-2020-7733?
Successful exploitation may allow attackers to consume excessive CPU resources, leading to a denial of service and making the application unresponsive to legitimate users.
What is the Exploitability of CVE-2020-7733?
Exploitation of this vulnerability is of low complexity. An attacker simply needs to send an HTTP request with a specially crafted 'User-Agent' header to a server that uses the vulnerable ua-parser-js library. No authentication is required, as user agent strings are typically processed before authentication. This is a remote exploitation scenario. The attacker does not need any specific privileges. The primary risk factor is the public exposure of any web application endpoint that parses user agent strings, making it trivial for an attacker to trigger the ReDoS.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-7733?
About the Fix from Resolved Security
The patch adjusts regular expressions to replace [\s_]* with [\s_]? in two patterns, preventing unintended excessive matching of whitespace or underscores. This change fixes CVE-2020-7733 by restricting the parser’s regex, mitigating a Regular Expression Denial of Service (ReDoS) risk caused by patterns that could backtrack excessively on crafted input.
Available Upgrade Options
- ua-parser-js
- <0.7.22 → Upgrade to 0.7.22
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBFAISALMAN-674666
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-674665
- https://snyk.io/vuln/SNYK-JS-UAPARSERJS-610226
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-674665
- https://github.com/faisalman/ua-parser-js/commit/233d3bae22a795153a7e6638887ce159c63e557d
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBFAISALMAN-674666
- https://osv.dev/vulnerability/GHSA-662x-fhqg-9p8v
- https://nvd.nist.gov/vuln/detail/CVE-2020-7733
- https://snyk.io/vuln/SNYK-JS-UAPARSERJS-610226
What are Similar Vulnerabilities to CVE-2020-7733?
Similar Vulnerabilities: CVE-2020-7734 , CVE-2020-7736 , CVE-2020-7739 , CVE-2020-7740 , CVE-2020-7741
