CVE-2022-25927
Regular Expression Denial of Service (ReDoS) vulnerability in ua-parser-js (npm)

Regular Expression Denial of Service (ReDoS) Proof of concept Fixable By Resolved Security

What is CVE-2022-25927 About?

This is a Regular Expression Denial of Service (ReDoS) vulnerability found in `ua-parser-js` versions from `0.7.30` up to `0.7.32` and `1.0.32`. It allows an attacker to cause a denial of service by crafting a very long user-agent string with a specific pattern. The impact is a server or client-side application getting stuck processing, leading to unresponsiveness.

Affected Software

  • ua-parser-js
    • >0.8.0, <1.0.33
    • >0.7.30, <0.7.33

Technical Details

The vulnerability is a Regular Expression Denial of Service (ReDoS) in the ua-parser-js library. The root cause is an insecure regular expression used for parsing user-agent strings, specifically one that exhibits catastrophic backtracking. Despite the library implementing a MAX_LENGTH input limit, an attacker can bypass this protection by crafting an extremely long user-agent string that contains a specific pattern. This pattern, when matched against the vulnerable regular expression, causes the regex engine to backtrack an exponential number of times, consuming vast amounts of CPU resources. This leads to the script getting stuck for a prolonged period, effectively causing a denial of service condition for the application or server trying to parse the malicious user-agent string.

What is the Impact of CVE-2022-25927?

Successful exploitation may allow attackers to cause a denial of service (DoS) by making the application unresponsive or stalled, consuming excessive CPU resources.

What is the Exploitability of CVE-2022-25927?

Exploiting this ReDoS vulnerability is of low complexity. An attacker needs to craft a very long user-agent string with a specific pattern that triggers catastrophic backtracking in the vulnerable regular expression. No authentication or specific privileges are required, as user-agent strings are typically sent in HTTP request headers by any client. This is a remote vulnerability, as the malicious user-agent string is sent within standard HTTP requests. The special condition is that the target server or client-side application uses an affected version of ua-parser-js (from 0.7.30 to before 0.7.33 / 1.0.33). The library's MAX_LENGTH input limit prevention is ineffective against this specific pattern. The existence of a proof-of-concept increases the likelihood of exploitation. Risk factors include any application that parses user-agent headers from untrusted sources using the vulnerable library, leading to potential server unresponsiveness or client-side freezing.

What are the Known Public Exploits?

PoC Author Link Commentary
masahiro331 Link PoC for CVE-2022-25927

What are the Available Fixes for CVE-2022-25927?

A Fix by Resolved Security Exists!
Learn how our approach backports security patches directly to your dependencies.

About the Fix from Resolved Security

This patch changes the trim function to only remove leading whitespace from input strings, no longer removing trailing whitespace. This prevents attackers from abusing the function to bypass length restrictions by appending whitespace, which could otherwise allow malicious input to slip past validation, addressing the input handling vulnerability described in CVE-2022-25927.

Available Upgrade Options

  • ua-parser-js
    • >0.7.30, <0.7.33 → Upgrade to 0.7.33
  • ua-parser-js
    • >0.8.0, <1.0.33 → Upgrade to 1.0.33

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2022-25927?

Similar Vulnerabilities: CVE-2022-25901 , CVE-2020-28186 , CVE-2021-23340 , CVE-2021-43285 , CVE-2022-24765

All Rights reserved 2025
Privacy Policy