Skip to main content

Google CVE-2026-48125

MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-06-15 https://github.com/faisalman/ua-parser-js GHSA-9h5v-pfqq-x599
5.3
CVSS 3.1 · Vendor: https://github.com/faisalman/ua-parser-js
Share

Severity by source

Vendor (https://github.com/faisalman/ua-parser-js) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from Vendor (https://github.com/faisalman/ua-parser-js) · only source for this CVE.

CVSS VectorVendor: https://github.com/faisalman/ua-parser-js

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 15, 2026 - 20:38 vuln.today
Analysis Generated
Jun 15, 2026 - 20:38 vuln.today
CVE Published
Jun 15, 2026 - 20:15 github-advisory
MEDIUM 5.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on ua-parser-js (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 2.0.1.

DescriptionCVE.org

Summary

A regular expression denial-of-service (ReDoS) vulnerability has been discovered in ua-parser-js when using the Client Hints API. By sending a crafted Sec-CH-UA-Model header to an application that calls UAParser(headers).withClientHints(), an attacker can cause the parser to spend excessive CPU time due to catastrophic backtracking in the device regex:

js
/ ([\w ]+) miui\/v?\d/i

Unlike when using the User-Agent value, which has a hard limit of UA_MAX_LENGTH = 500, when using Client Hints, values are copied without a length limit before being passed into regex parsing.

PoC

js
const { UAParser } = require('ua-parser-js');

const headers = {
  'sec-ch-ua-platform': '"Android"',
  'sec-ch-ua-mobile': '?1',
  'sec-ch-ua-model': '"' + 'A '.repeat(25000) + '"'
};

const t0 = process.hrtime.bigint();
UAParser(headers).withClientHints();
const ms = Number(process.hrtime.bigint() - t0) / 1e6;

if (ms > 100) {
  console.log('Potential ReDoS');
}

Impact

This vulnerability allows an unauthenticated attacker to trigger a denial-of-service condition in any __server-side__ application that uses UAParser(headers).withClientHints(). A single request with a ~32,000-character model value can consume over 400ms of CPU time, with parsing time growing polynomially with input length. The impact is __availability__ only, there is no confidentiality or integrity impact.

Affected Versions

ua-parser-js versions >=2.0.1, <=2.0.9 are affected. The withClientHints() API is not present in version 0.7.x or 1.x.

Patches

A patch has been released to fix the vulnerable regular expression and limit the Client Hints input. Users should update to version 2.0.10 or later.

References

Credits

Thanks to @sondt99, who first reported the issue.

AnalysisAI

Unbounded input in ua-parser-js v2.0.1–2.0.9's Client Hints API enables remote denial-of-service via catastrophic regex backtracking. Any server-side Node.js application calling UAParser(headers).withClientHints() is vulnerable to CPU exhaustion when an attacker supplies an oversized Sec-CH-UA-Model header — a single ~32,000-character request consumes over 400ms of CPU with polynomial growth. A functional proof-of-concept exploit is publicly available in the GitHub Security Advisory (GHSA-9h5v-pfqq-x599); no active exploitation in CISA KEV has been confirmed at time of analysis.

Share

CVE-2026-48125 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy