npm package
ua-parser-js
pkg:npm/ua-parser-js
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-48125 | — | >= 2.0.1, < 2.0.10 | 2.0.10 | Jun 15, 2026 | ### Summary A regular expression denial-of-service (ReDoS) vulnerability has been discovered in `ua-parser-js` when using the Client Hints API. By sending a crafted `Sec-CH-UA-Model` header to an application that calls `UAParser(headers).withClientHints()`, an attacker can cause | ||
| CVE-2022-25927 | — | >= 0.7.30, < 0.7.33 | 0.7.33 | Jan 25, 2023 | Versions of the package ua-parser-js from 0.7.30 and before 0.7.33, from 0.8.1 and before 1.0.33 are vulnerable to Regular Expression Denial of Service (ReDoS) via the trim() function. | ||
| CVE-2021-4229 | — | >= 0.7.29, < 0.7.30 | 0.7.30 | May 24, 2022 | A vulnerability was found in ua-parser-js 0.7.29/0.8.0/1.0.0. It has been rated as critical. This issue affects the crypto mining component which introduces a backdoor. Upgrading to version 0.7.30, 0.8.1 and 1.0.1 is able to address this issue. It is recommended to upgrade the af | ||
| CVE-2021-27292 | — | >= 0.7.14, < 0.7.24 | 0.7.24 | Mar 17, 2021 | ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time. | ||
| CVE-2020-7793 | — | < 0.7.23 | 0.7.23 | Dec 11, 2020 | The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info). | ||
| CVE-2020-7733 | — | < 0.7.22 | 0.7.22 | Sep 16, 2020 | The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA. |
- CVE-2026-48125Jun 15, 2026affected >= 2.0.1, < 2.0.10fixed 2.0.10
### Summary A regular expression denial-of-service (ReDoS) vulnerability has been discovered in `ua-parser-js` when using the Client Hints API. By sending a crafted `Sec-CH-UA-Model` header to an application that calls `UAParser(headers).withClientHints()`, an attacker can cause
- CVE-2022-25927Jan 25, 2023affected >= 0.7.30, < 0.7.33fixed 0.7.33
Versions of the package ua-parser-js from 0.7.30 and before 0.7.33, from 0.8.1 and before 1.0.33 are vulnerable to Regular Expression Denial of Service (ReDoS) via the trim() function.
- CVE-2021-4229May 24, 2022affected >= 0.7.29, < 0.7.30fixed 0.7.30
A vulnerability was found in ua-parser-js 0.7.29/0.8.0/1.0.0. It has been rated as critical. This issue affects the crypto mining component which introduces a backdoor. Upgrading to version 0.7.30, 0.8.1 and 1.0.1 is able to address this issue. It is recommended to upgrade the af
- CVE-2021-27292Mar 17, 2021affected >= 0.7.14, < 0.7.24fixed 0.7.24
ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.
- CVE-2020-7793Dec 11, 2020affected < 0.7.23fixed 0.7.23
The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).
- CVE-2020-7733Sep 16, 2020affected < 0.7.22fixed 0.7.22
The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.