VYPR
← All advisories
High severityNVD Advisory· Published Jan 25, 2023· Updated Apr 1, 2025

CVE-2022-25927

CVE-2022-25927

Description

ua-parser-js versions before 0.7.33 and 1.0.33 are vulnerable to Regular Expression Denial of Service (ReDoS) via the trim() function.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ua-parser-js versions before 0.7.33 and 1.0.33 are vulnerable to Regular Expression Denial of Service (ReDoS) via the trim() function.

Vulnerability

Overview The vulnerability is a Regular Expression Denial of Service (ReDoS) in the trim() function of the ua-parser-js library [1]. This issue affects versions from 0.7.30 to before 0.7.33, and from 0.8.1 to before 1.0.33. The vulnerable regex pattern can cause catastrophic backtracking when processing specially crafted user-agent strings, leading to high CPU consumption.

Exploitation

An attacker can exploit this vulnerability by providing a maliciously crafted user-agent string to an application that uses ua-parser-js [4]. No authentication is required; the attack can be performed remotely. The ReDoS occurs when the trim() function is called on the input, triggering exponential backtracking in the regular expression engine [3].

Impact

Successful exploitation results in denial of service, as the CPU becomes excessively busy processing the malicious input, potentially causing the application to become unresponsive for an extended period [4]. This can affect both client-side and server-side usage of the library.

Mitigation

The vulnerability has been patched in versions 0.7.33 and 1.0.33 by removing the unsafe regex pattern from the trim() function [3]. Users are advised to upgrade to the latest patched versions immediately. No workarounds are documented.

References
  1. NVD - CVE-2022-25927
  2. Remove unsafe regex in trim() function · faisalman/ua-parser-js@a6140a1
  3. Snyk Vulnerability Database | Snyk

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ua-parser-jsnpm
>= 0.7.30, < 0.7.330.7.33
ua-parser-jsnpm
>= 0.8.0, < 1.0.331.0.33

Affected products

2

Patches

1
a6140a17dd03

Remove unsafe regex in trim() function

https://github.com/faisalman/ua-parser-jsFaisal SalmanJan 20, 2023via ghsa
commit
1 file changed · +1 1
  • src/ua-parser.js+1 1 modified
    @@ -93,7 +93,7 @@
         },
         trim = function (str, len) {
             if (typeof(str) === STR_TYPE) {
-                str = str.replace(/^\s\s*/, EMPTY).replace(/\s\s*$/, EMPTY);
+                str = str.replace(/^\s\s*/, EMPTY);
                 return typeof(len) === UNDEF_TYPE ? str : str.substring(0, UA_MAX_LENGTH);
             }
     };

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.