Regular Expression Denial of Service (ReDoS)
Description
ua-parser-js before 0.7.22 contains a ReDoS vulnerability via a crafted User-Agent regex for Redmi and Mi Pad devices.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ua-parser-js before 0.7.22 contains a ReDoS vulnerability via a crafted User-Agent regex for Redmi and Mi Pad devices.
Vulnerability
Overview ua-parser-js before version 0.7.22 is vulnerable to Regular Expression Denial of Service (ReDoS) due to a problematic regex pattern used for matching Redmi Phones and Mi Pad Tablets User-Agent strings. The regex can cause catastrophic backtracking when processing a crafted input, leading to excessive CPU consumption [1][2].
Attack
Vector An attacker can exploit this vulnerability by sending an HTTP request with a specially crafted User-Agent header that matches the pattern but causes the regex to evaluate for an extremely long time. The attacker does not require authentication or a privileged network position; the vulnerability can be triggered remotely by any client sending a request to a server using the affected library to parse User-Agent strings [2][3].
Impact
Successful exploitation results in a Denial of Service (DoS) condition, where the server becomes unresponsive due to CPU exhaustion, potentially causing application downtime. This can affect any application that uses ua-parser-js to parse User-Agent strings, such as web analytics, logging, or device detection services [3][4].
Mitigation
The vulnerability is fixed in ua-parser-js version 0.7.22. Users should upgrade to this version or later. The fix involves modifying the vulnerable regex to prevent catastrophic backtracking. No workarounds are available other than upgrading [1][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ua-parser-jsnpm | < 0.7.22 | 0.7.22 |
Affected products
2- ua-parser-js/ua-parser-jsdescription
Patches
1233d3bae22a7Fix potential ReDoS vulnerability
1 file changed · +2 −2
src/ua-parser.js+2 −2 modified@@ -585,9 +585,9 @@ /android.+(hm[\s\-_]*note?[\s_]*(?:\d\w)?)\s+build/i, // Xiaomi Hongmi /android.+(mi[\s\-_]*(?:a\d|one|one[\s_]plus|note lte)?[\s_]*(?:\d?\w?)[\s_]*(?:plus)?)\s+build/i, // Xiaomi Mi - /android.+(redmi[\s\-_]*(?:note)?(?:[\s_]*[\w\s]+))\s+build/i // Redmi Phones + /android.+(redmi[\s\-_]*(?:note)?(?:[\s_]?[\w\s]+))\s+build/i // Redmi Phones ], [[MODEL, /_/g, ' '], [VENDOR, 'Xiaomi'], [TYPE, MOBILE]], [ - /android.+(mi[\s\-_]*(?:pad)(?:[\s_]*[\w\s]+))\s+build/i // Mi Pad tablets + /android.+(mi[\s\-_]*(?:pad)(?:[\s_]?[\w\s]+))\s+build/i // Mi Pad tablets ],[[MODEL, /_/g, ' '], [VENDOR, 'Xiaomi'], [TYPE, TABLET]], [ /android.+;\s(m[1-5]\snote)\sbuild/i // Meizu ], [MODEL, [VENDOR, 'Meizu'], [TYPE, MOBILE]], [
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-662x-fhqg-9p8vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7733ghsaADVISORY
- github.com/faisalman/ua-parser-js/commit/233d3bae22a795153a7e6638887ce159c63e557dghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBFAISALMAN-674666ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-674665ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-UAPARSERJS-610226ghsax_refsource_MISCWEB
- www.oracle.com//security-alerts/cpujul2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.