CVE-2022-25927: Critical ReDoS Vulnerability Affecting ua-parser-js Package in Multiple Versions

Security researchers have discovered a critical vulnerability, tracked as CVE-2022-25927, affecting multiple versions of the popular ua-parser-js package. This vulnerability is prone to Regular Expression Denial of Service (ReDoS) attacks via the trim() function, potentially causing a severe impact on applications using the vulnerable package.

.8.1 to 1..33 (inclusive)

If you're using any of these versions, it's crucial to update your package immediately to mitigate the risk of a ReDoS attack.

Exploit Details

A ReDoS attack targets the regular expression features of the package that are used for parsing user agent strings. In this case, the trim() function is the primary attack vector, where a carefully crafted input can cause excessive backtracking and extend the processing time exponentially. As a result, the application may become unresponsive, and the server might be overwhelmed, leading to a denial-of-service condition.

When an attacker successfully exploits the vulnerability, they can effectively slow down or even crash the impacted service. In a worst-case scenario, this could lead to an entire application becoming inoperative.

The following is an example of a malicious payload targeting the ReDoS vulnerability

const UAParser = require('ua-parser-js');
const parser = new UAParser();

const input = "Mozilla/5. (Windows NT 10.; WOW64; rv:53.) Gecko/20100101 Firefox/53. |###############"; // The '#' characters signify specially crafted characters in a payload to cause increased processing time

let start = process.hrtime();
parser.setUA(input.trim()).getResult();
let end = process.hrtime(start);

console.log(Execution time: ${end[] * 1e9 + end[1]} nanoseconds);

Note: The "###############" in the input variable signifies the specially crafted characters in a payload to cause increased processing time. This is just a simple example; real exploits might be more complex and harder to identify.

1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25927
2. https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-25927
3. https://github.com/faisalman/ua-parser-js

Mitigation

To protect your application from this vulnerability, upgrade the ua-parser-js package to a secure version immediately:

You can update the package using a package manager like npm or yarn

# If using npm:
npm update ua-parser-js

# If using yarn:
yarn upgrade ua-parser-js

Conclusion

CVE-2022-25927 is a critical vulnerability that could lead to denial-of-service attacks on applications using the ua-parser-js package in affected versions. If you're using a vulnerable version of the package, it is vital to update it as soon as possible to minimize the risk of an attack and ensure the security and stability of your application.

Timeline

Published on: 01/26/2023 21:15:00 UTC
Last modified on: 02/02/2023 18:26:00 UTC