Technologyglobal✓ verified · 90%

UAParser.js: Unbounded `Sec-CH-UA-Model` parsing can trigger ReDoS in `withClientHints()`

Name: UAParser.js: Unbounded `Sec-CH-UA-Model` parsing can trigger ReDoS in `withClientHints()`
Start: 2026-06-15T20:15:02Z
Location: Global (internet)

When: 2026-06-15 20:15 UTC
Where: Global (internet)
Category: cyber_advisory · npm

### Summary A regular expression denial-of-service (ReDoS) vulnerability has been discovered in `ua-parser-js` when using the Client Hints API. By sending a crafted `Sec-CH-UA-Model` header to an application that calls `UAParser(headers).withClientHints()`, an attacker can cause the parser to spend excessive CPU time due to catastrophic backtracking in the device [regex](https://github.com/faisalman/ua-parser-js/blob/2.0.9/src/main/ua-parser.js#L615): ```js / ([\w ]+) miui\/v?\d/i ``` Unlike when using the `User-Agent` value, which has a hard limit of `UA_MAX_LENGTH = 500`, when using Client Hints, values are copied without a length limit before being passed into regex parsing. ### PoC ```js const { UAParser } = require('ua-parser-js'); const headers = { 'sec-ch-ua-platform': '"Android"', 'sec-ch-ua-mobile': '?1', 'sec-ch-ua-model': '"' + 'A '.repeat(25000) + '"' }; const t0 = process.hrtime.bigint(); UAParser(headers).withClientHints(); const ms = Number(process.hrtime.bigint() - t0) / 1e6; if (ms > 100) { console.log('Potential ReDoS'); } ``` ### Impact This vulnerability allows an unauthenticated attacker to trigger a denial-of-service condition in any __server-side__ application that uses `UAParser(headers).withClientHints()`. A single request with a ~32,000-character model value can consume over 400ms of CPU time, with parsing time growing polynomially with input length. The impact is __availability__ only, there is no confidentiality or integrity impact. ### Affected Versions `ua-parser-js` versions `>=2.0.1, <=2.0.9` are affected. The `withClientHints()` API is not present in version `0.7.x` or `1.x`. ### Patches A patch has been released to fix the vulnerable regular expression and limit the Client Hints input. Users should update to version `2.0.10` or later. ### References - [Regular expression Denial of Service - ReDoS (OWASP)](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) ### Credits Thanks to [@sondt99](https://github.com/sondt99), who first reported the issue.

Sources

GitHub Advisory Database ↗ · first seen 2026-06-15 20:15 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

No correlated events found in the current window. As more events arrive, connections form automatically.

← Back to the live map