UAParser.js: Unbounded Sec-CH-UA-Model parsing can trigger ReDoS in withClientHints()
Summary
A regular expression denial-of-service (ReDoS) vulnerability has been discovered in ua-parser-js when using the Client Hints API. By sending a crafted Sec-CH-UA-Model header to an application that calls UAParser(headers).withClientHints(), an attacker can cause the parser to spend excessive CPU time due to catastrophic backtracking in the device regex:
/ ([\w ]+) miui\/v?\d/iUnlike when using the User-Agent value, which has a hard limit of UA_MAX_LENGTH = 500, when using Client Hints, values are copied without a length limit before being passed into regex parsing.
PoC
const { UAParser } = require('ua-parser-js');const headers = {
'sec-ch-ua-platform': '"Android"',
'sec-ch-ua-mobile': '?1',
'sec-ch-ua-model': '"' + 'A '.repeat(25000) + '"'
};
const t0 = process.hrtime.bigint();
UAParser(headers).withClientHints();
const ms = Number(process.hrtime.bigint() - t0) / 1e6;
if (ms > 100) {
console.log('Potential ReDoS');
}
Impact
This vulnerability allows an unauthenticated attacker to trigger a denial-of-service condition in any __server-side__ application that uses UAParser(headers).withClientHints(). A single request with a ~32,000-character model value can consume over 400ms of CPU time, with parsing time growing polynomially with input length. The impact is __availability__ only, there is no confidentiality or integrity impact.
Affected Versions
ua-parser-js versions >=2.0.1, <=2.0.9 are affected. The withClientHints() API is not present in version 0.7.x or 1.x.
Patches
A patch has been released to fix the vulnerable regular expression and limit the Client Hints input. Users should update to version 2.0.10 or later.
References
Credits
Thanks to @sondt99, who first reported the issue.