VYPR
← All advisories
High severityNVD Advisory· Published Mar 17, 2021· Updated Aug 3, 2024

CVE-2021-27292

CVE-2021-27292

Description

ua-parser-js versions 0.7.14 to 0.7.23 contain a regular expression denial-of-service (ReDoS) vulnerability exploitable via a malicious User-Agent header.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ua-parser-js versions 0.7.14 to 0.7.23 contain a regular expression denial-of-service (ReDoS) vulnerability exploitable via a malicious User-Agent header.

Vulnerability

Overview

The npm package ua-parser-js, versions 0.7.14 through 0.7.23, contains a regular expression denial-of-service (ReDoS) vulnerability. The vulnerable regex is located in src/ua-parser.js at line 620, which is used to match Barnes & Noble tablet user-agent strings. The regex uses nested quantifiers that cause exponential backtracking when processing a crafted input, leading to excessive CPU consumption [2][4].

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted User-Agent header to any application that uses ua-parser-js to parse user-agent strings. No authentication or special network position is required; the attack can be performed remotely. When the malicious header is processed, the parser becomes stuck for an extended period, effectively causing a denial of service [1][2].

Impact

Successful exploitation results in a denial of service condition. The affected service or application may become unresponsive while processing the malicious input, potentially leading to resource exhaustion and downtime. This can impact availability for legitimate users [1][2].

Mitigation

The vulnerability is fixed in ua-parser-js version 0.7.24. The fix modifies the vulnerable regex to use a possessive quantifier, preventing catastrophic backtracking [4]. Users are strongly advised to upgrade to the latest version. No workarounds are documented.

References
  1. NVD - CVE-2021-27292
  2. cve-2021-27292
  3. Fix potential ReDoS vulnerability as reported by Doyensec · faisalman/ua-parser-js@809439e

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ua-parser-jsnpm
>= 0.7.14, < 0.7.240.7.24

Affected products

2

Patches

2
809439e20e27

Fix potential ReDoS vulnerability as reported by Doyensec

https://github.com/faisalman/ua-parser-jsFaisal SalmanFeb 12, 2021via ghsa
commit
1 file changed · +2 2
  • src/ua-parser.js+2 2 modified
    @@ -620,7 +620,7 @@
             /android.+[;\/]\s*(Q[T|M][\d\w]+)\s+build/i                         // Verizon Tablet
             ], [MODEL, [VENDOR, 'Verizon'], [TYPE, TABLET]], [
 
-            /android.+[;\/]\s+(Barnes[&\s]+Noble\s+|BN[RT])(V?.*)\s+build/i     // Barnes & Noble Tablet
+            /android.+[;\/]\s+(Barnes[&\s]+Noble\s+|BN[RT])(\S(?:.*\S)?)\s+build/i     // Barnes & Noble Tablet
             ], [[VENDOR, 'Barnes & Noble'], MODEL, [TYPE, TABLET]], [
 
             /android.+[;\/]\s+(TM\d{3}.*\b)\s+build/i                           // Barnes & Noble Tablet
@@ -694,7 +694,7 @@
             /(android[\w\.\s\-]{0,9});.+build/i                                 // Generic Android Device
             ], [MODEL, [VENDOR, 'Generic']], [
 
-            /(phone)/i,
+            /(phone)/i
             ], [[TYPE, MOBILE]]
         ],
2e7e8c4a7b31

Fix several exponential/cubic complexity regexes found by Ben Caller/Doyensec

https://github.com/pygments/pygmentsGeorg BrandlJan 11, 2021via ghsa
commit
8 files changed · +14 12
  • CHANGES+4 1 modified
    @@ -38,8 +38,11 @@ Version 2.7.4
 - Limit recursion with nesting Ruby heredocs (#1638)
 - Fix a few inefficient regexes for guessing lexers
 - Fix the raw token lexer handling of Unicode (#1616)
-- Revert a private API change in the HTML formatter (#1655) -- please note that private APIs remain subject to change!
+- Revert a private API change in the HTML formatter (#1655) -- 
+  please note that private APIs remain subject to change!
 - Add Dracula theme style (#1636)
+- Fix several exponential/cubic-complexity regexes found by
+  Ben Caller/Doyensec (#1675)
 
 Thanks to Google's OSS-Fuzz project for finding many of these bugs.
  • pygments/lexers/archetype.py+1 1 modified
    @@ -58,7 +58,7 @@ class AtomsLexer(RegexLexer):
             (r'P((\d*(\.\d+)?[YyMmWwDd]){1,3}(T(\d*(\.\d+)?[HhMmSs]){,3})?|'
              r'T(\d*(\.\d+)?[HhMmSs]){,3})', Literal.Date),
             (r'[+-]?(\d+\.\d*|\.\d+|\d+)[eE][+-]?\d+', Number.Float),
-            (r'[+-]?(\d+)*\.\d+%?', Number.Float),
+            (r'[+-]?\d*\.\d+%?', Number.Float),
             (r'0x[0-9a-fA-F]+', Number.Hex),
             (r'[+-]?\d+%?', Number.Integer),
         ],
  • pygments/lexers/factor.py+2 2 modified
    @@ -265,7 +265,7 @@ class FactorLexer(RegexLexer):
             (r'(?:<PRIVATE|PRIVATE>)\s', Keyword.Namespace),
 
             # strings
-            (r'"""\s+(?:.|\n)*?\s+"""', String),
+            (r'"""\s(?:.|\n)*?\s"""', String),
             (r'"(?:\\\\|\\"|[^"])*"', String),
             (r'\S+"\s+(?:\\\\|\\"|[^"])*"', String),
             (r'CHAR:\s+(?:\\[\\abfnrstv]|[^\\]\S*)\s', String.Char),
@@ -322,7 +322,7 @@ class FactorLexer(RegexLexer):
         'slots': [
             (r'\s+', Text),
             (r';\s', Keyword, '#pop'),
-            (r'(\{\s+)(\S+)(\s+[^}]+\s+\}\s)',
+            (r'(\{\s+)(\S+)(\s[^}]+\s\}\s)',
              bygroups(Text, Name.Variable, Text)),
             (r'\S+', Name.Variable),
         ],
  • pygments/lexers/jvm.py+0 1 modified
    @@ -981,7 +981,6 @@ class CeylonLexer(RegexLexer):
             (r'(import)(\s+)', bygroups(Keyword.Namespace, Text), 'import'),
             (r'"(\\\\|\\[^\\]|[^"\\])*"', String),
             (r"'\\.'|'[^\\]'|'\\\{#[0-9a-fA-F]{4}\}'", String.Char),
-            (r'".*``.*``.*"', String.Interpol),
             (r'(\.)([a-z_]\w*)',
              bygroups(Operator, Name.Attribute)),
             (r'[a-zA-Z_]\w*:', Name.Label),
  • pygments/lexers/matlab.py+3 3 modified
    @@ -137,7 +137,7 @@ class MatlabLexer(RegexLexer):
             (r'.', Comment.Multiline),
         ],
         'deffunc': [
-            (r'(\s*)(?:(.+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)',
+            (r'(\s*)(?:(\S+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)',
              bygroups(Whitespace, Text, Whitespace, Punctuation,
                       Whitespace, Name.Function, Punctuation, Text,
                       Punctuation, Whitespace), '#pop'),
@@ -638,7 +638,7 @@ class OctaveLexer(RegexLexer):
             (r"[^']*'", String, '#pop'),
         ],
         'deffunc': [
-            (r'(\s*)(?:(.+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)',
+            (r'(\s*)(?:(\S+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)',
              bygroups(Whitespace, Text, Whitespace, Punctuation,
                       Whitespace, Name.Function, Punctuation, Text,
                       Punctuation, Whitespace), '#pop'),
@@ -710,7 +710,7 @@ class ScilabLexer(RegexLexer):
             (r'.', String, '#pop'),
         ],
         'deffunc': [
-            (r'(\s*)(?:(.+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)',
+            (r'(\s*)(?:(\S+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)',
              bygroups(Whitespace, Text, Whitespace, Punctuation,
                       Whitespace, Name.Function, Punctuation, Text,
                       Punctuation, Whitespace), '#pop'),
  • pygments/lexers/objective.py+2 2 modified
    @@ -261,11 +261,11 @@ class LogosLexer(ObjectiveCppLexer):
              'logos_classname'),
             (r'(%hook|%group)(\s+)([a-zA-Z$_][\w$]+)',
              bygroups(Keyword, Text, Name.Class)),
-            (r'(%config)(\s*\(\s*)(\w+)(\s*=\s*)(.*?)(\s*\)\s*)',
+            (r'(%config)(\s*\(\s*)(\w+)(\s*=)(.*?)(\)\s*)',
              bygroups(Keyword, Text, Name.Variable, Text, String, Text)),
             (r'(%ctor)(\s*)(\{)', bygroups(Keyword, Text, Punctuation),
              'function'),
-            (r'(%new)(\s*)(\()(\s*.*?\s*)(\))',
+            (r'(%new)(\s*)(\()(.*?)(\))',
              bygroups(Keyword, Text, Keyword, String, Keyword)),
             (r'(\s*)(%end)(\s*)', bygroups(Text, Keyword, Text)),
             inherit,
  • pygments/lexers/templates.py+1 1 modified
    @@ -1405,7 +1405,7 @@ class EvoqueLexer(RegexLexer):
             # see doc for handling first name arg: /directives/evoque/
             # + minor inconsistency: the "name" in e.g. $overlay{name=site_base}
             # should be using(PythonLexer), not passed out as String
-            (r'(\$)(evoque|overlay)(\{(%)?)(\s*[#\w\-"\'.]+[^=,%}]+?)?'
+            (r'(\$)(evoque|overlay)(\{(%)?)(\s*[#\w\-"\'.]+)?'
              r'(.*?)((?(4)%)\})',
              bygroups(Punctuation, Name.Builtin, Punctuation, None,
                       String, using(PythonLexer), Punctuation)),
  • pygments/lexers/varnish.py+1 1 modified
    @@ -61,7 +61,7 @@ def analyse_text(text):
              bygroups(Name.Attribute, Operator, Name.Variable.Global, Punctuation)),
             (r'(\.probe)(\s*=\s*)(\{)',
              bygroups(Name.Attribute, Operator, Punctuation), 'probe'),
-            (r'(\.\w+\b)(\s*=\s*)([^;]*)(\s*;)',
+            (r'(\.\w+\b)(\s*=\s*)([^;\s]*)(\s*;)',
              bygroups(Name.Attribute, Operator, using(this), Punctuation)),
             (r'\{', Punctuation, '#push'),
             (r'\}', Punctuation, '#pop'),

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.