CVE-2021-34801

Vulnerability

Valine version 1.4.14, a fast comment system, contains a vulnerability where parsing a User-Agent (ua) field that only specifies the product and version (e.g., Mozilla/5.0) triggers an error. This error prevents the entire comment list from loading on the affected page [2]. The bug is reachable when any user submits a comment with such a malformed User-Agent string.

Exploitation

An attacker can exploit this by posting a comment with a crafted User-Agent value that is incomplete—only containing the product and version. No authentication is required if the comment system allows anonymous submissions. The attacker simply submits the comment via the Valine interface; upon loading the page, the comment system fails to render, affecting all visitors [3].

Impact

Successful exploitation results in a denial of service: the comment system on the targeted page becomes unresponsive, and existing comments cannot be loaded. This disrupts the functionality of the website's comment section, potentially affecting user engagement and content delivery [2].

Mitigation

As of the available references, no official patch has been released for Valine 1.4.14. The issue was reported in GitHub issue #366 [3]. Users should consider upgrading to a newer version if available, or implement server-side input validation on the User-Agent field. The project may be unmaintained; check for updates regularly.