Google
CVE-2026-48125
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from Vendor (https://github.com/faisalman/ua-parser-js) · only source for this CVE.
CVSS VectorVendor: https://github.com/faisalman/ua-parser-js
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
3Blast Radius
ecosystem impact- 1 npm packages depend on ua-parser-js (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2.0.1.
DescriptionCVE.org
Summary
A regular expression denial-of-service (ReDoS) vulnerability has been discovered in ua-parser-js when using the Client Hints API. By sending a crafted Sec-CH-UA-Model header to an application that calls UAParser(headers).withClientHints(), an attacker can cause the parser to spend excessive CPU time due to catastrophic backtracking in the device regex:
/ ([\w ]+) miui\/v?\d/iUnlike when using the User-Agent value, which has a hard limit of UA_MAX_LENGTH = 500, when using Client Hints, values are copied without a length limit before being passed into regex parsing.
PoC
const { UAParser } = require('ua-parser-js');
const headers = {
'sec-ch-ua-platform': '"Android"',
'sec-ch-ua-mobile': '?1',
'sec-ch-ua-model': '"' + 'A '.repeat(25000) + '"'
};
const t0 = process.hrtime.bigint();
UAParser(headers).withClientHints();
const ms = Number(process.hrtime.bigint() - t0) / 1e6;
if (ms > 100) {
console.log('Potential ReDoS');
}Impact
This vulnerability allows an unauthenticated attacker to trigger a denial-of-service condition in any __server-side__ application that uses UAParser(headers).withClientHints(). A single request with a ~32,000-character model value can consume over 400ms of CPU time, with parsing time growing polynomially with input length. The impact is __availability__ only, there is no confidentiality or integrity impact.
Affected Versions
ua-parser-js versions >=2.0.1, <=2.0.9 are affected. The withClientHints() API is not present in version 0.7.x or 1.x.
Patches
A patch has been released to fix the vulnerable regular expression and limit the Client Hints input. Users should update to version 2.0.10 or later.
References
Credits
Thanks to @sondt99, who first reported the issue.
AnalysisAI
Unbounded input in ua-parser-js v2.0.1–2.0.9's Client Hints API enables remote denial-of-service via catastrophic regex backtracking. Any server-side Node.js application calling UAParser(headers).withClientHints() is vulnerable to CPU exhaustion when an attacker supplies an oversized Sec-CH-UA-Model header — a single ~32,000-character request consumes over 400ms of CPU with polynomial growth. A functional proof-of-concept exploit is publicly available in the GitHub Security Advisory (GHSA-9h5v-pfqq-x599); no active exploitation in CISA KEV has been confirmed at time of analysis.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-9h5v-pfqq-x599