CVE-2020-7793
Regular Expression Denial of Service (ReDoS) vulnerability in ua-parser-js (npm)
What is CVE-2020-7793 About?
The ua-parser-js package before version 0.7.23 is vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes. This can allow an attacker to make the application unresponsive by providing specially crafted input. Exploitation is easy, requiring only a malicious user-agent string.
Affected Software
Technical Details
The vulnerability stems from inefficiently constructed regular expressions within the ua-parser-js library. Specifically, several regexes exhibit characteristics such as excessive backtracking when processing particular inputs. An attacker can craft a malicious user-agent string (or other input that gets processed by these regexes) that causes the regular expression engine to spend a disproportionately long time evaluating it. This computational overload consumes significant CPU resources, leading to a temporary or prolonged denial of service where the application becomes unresponsive or severely degraded. The 'linked commit' refers to specific problematic regex patterns that contain nested quantifiers or overlapping alternatives that lead to exponential processing time with certain inputs.
What is the Impact of CVE-2020-7793?
Successful exploitation may allow attackers to cause a denial of service, making the affected application unresponsive, degrading performance, and frustrating users.
What is the Exploitability of CVE-2020-7793?
Exploiting this ReDoS vulnerability is relatively easy, requiring low complexity. The main prerequisite is that the application uses the vulnerable ua-parser-js package and processes user-controlled input (like a User-Agent header) using the problematic regular expressions. There are typically no authentication or privilege requirements, as attackers can send malicious input through standard HTTP request headers. This is a remote attack. Special conditions include the specific regexes being triggered by the crafted input. Risk factors that increase exploitation likelihood include any web application that parses user-agent strings or other user-supplied data using the vulnerable library without adequate input validation or timeouts.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-7793?
About the Fix from Resolved Security
This patch tightens several regular expressions used for user-agent parsing to prevent catastrophic backtracking, which could be exploited for Regular Expression Denial of Service (ReDoS) attacks as described in CVE-2020-7793. By placing stricter quantifiers, enforcing specific patterns, and improving character matches, the patch mitigates the risk that maliciously crafted user-agent strings could trigger excessive CPU consumption and cause denial of service.
Available Upgrade Options
- ua-parser-js
- <0.7.23 → Upgrade to 0.7.23
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://snyk.io/vuln/SNYK-JS-UAPARSERJS-1023599
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1050387
- https://nvd.nist.gov/vuln/detail/CVE-2020-7793
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBFAISALMAN-1050388
- https://snyk.io/vuln/SNYK-JS-UAPARSERJS-1023599
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1050387
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBFAISALMAN-1050388
- https://github.com/faisalman/ua-parser-js/commit/6d1f26df051ba681463ef109d36c9cf0f7e32b18
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
- https://osv.dev/vulnerability/GHSA-394c-5j6w-4xmx
What are Similar Vulnerabilities to CVE-2020-7793?
Similar Vulnerabilities: CVE-2021-25925 , CVE-2021-23363 , CVE-2021-27209 , CVE-2022-24765 , CVE-2022-26615
