CVE-2021-27292
Denial of Service vulnerability in ua-parser-js (npm)
What is CVE-2021-27292 About?
The ua-parser-js library is vulnerable to a Regular Expression Denial of Service (ReDoS) due to an inefficient regular expression. An attacker can craft a malicious User-Agent header, causing the library to consume excessive processing time. This makes the vulnerability easy to exploit, as it only requires sending a specific HTTP header.
Affected Software
Technical Details
The ua-parser-js library, specifically in versions prior to 0.7.24, employs a regular expression that is susceptible to catastrophic backtracking. When an attacker sends an HTTP request with a specially crafted User-Agent header, this regex enters an exceedingly inefficient state. The parser gets 'stuck' evaluating the regular expression for an extended duration, disproportionately processing the input and leading to high CPU utilization, effectively causing a Denial of Service.
What is the Impact of CVE-2021-27292?
Successful exploitation may allow attackers to cause a Denial of Service, making the system or application unresponsive or unavailable.
What is the Exploitability of CVE-2021-27292?
Exploitation is relatively straightforward and requires no authentication or specific privileges, making it a low-complexity attack. It is a remote vulnerability, as an attacker only needs to send a crafted HTTP request with a malicious User-Agent header to the server running the vulnerable library. The primary prerequisite is that the application uses the affected ua-parser-js library to process User-Agent headers. The likelihood of exploitation increases if the application publicly exposes an endpoint that processes HTTP headers from untrusted sources.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-27292?
About the Fix from Resolved Security
This patch tightens the regular expression used for parsing Barnes & Noble tablet model strings to no longer allow whitespace at the beginning or end of captured data, preventing unintended input such as malicious code from being executed. This addresses vulnerability CVE-2021-27292 by stopping crafted user-agent strings from injecting and executing arbitrary code through unsafe parsing and output.
Available Upgrade Options
- ua-parser-js
- >0.7.14, <0.7.24 → Upgrade to 0.7.24
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2021-27292
- https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14
- https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14
- https://github.com/faisalman/ua-parser-js/commit/809439e20e273ce0d25c1d04e111dcf6011eb566
- https://osv.dev/vulnerability/GHSA-78cj-fxph-m83p
- https://gist.github.com/b-c-ds/6941d80d6b4e694df4bc269493b7be76
- https://gist.github.com/b-c-ds/6941d80d6b4e694df4bc269493b7be76
- https://github.com/faisalman/ua-parser-js/commit/809439e20e273ce0d25c1d04e111dcf6011eb566
What are Similar Vulnerabilities to CVE-2021-27292?
Similar Vulnerabilities: CVE-2021-23364 , CVE-2021-33503 , CVE-2020-8294 , CVE-2020-28283 , CVE-2019-11324
