Summary A regular expression denial-of-service (ReDoS) vulnerability has been discovered in "ua-parser-js" when using the Client Hints API. By sending a crafted "Sec-CH-UA-Model" header to an application that calls "UAParser(headers).withClientHints()", an attacker can cause the parser to spend excessive CPU time due to catastrophic backtracking in the device "regex" (https://github.com/faisalman/ua-parser-js/blob/2.0.9/src/main/ua-parser.js#L615): / ([\w ]+) miui/v?\d/i Unlike when using the "User-Agent" value, which has a hard limit of "UA_MAX_LENGTH = 500", when using Client Hints, values are copied without a length limit before being passed into regex parsing. PoC const { UAParser } = require('ua-parser-js'); const headers = { 'sec-ch-ua-platform': '"Android"', 'sec-ch-ua-mobile': '?1', 'sec-ch-ua-model': '"' + 'A '.repeat(25000) + '"' }; const t0 = process.hrtime.bigint(); UAParser(headers).withClientHints(); const ms = Number(process.hrtime.bigint() - t0) / 1e6; if (ms > 100) { console.log('Potential ReDoS'); } Impact This vulnerability allows an unauthenticated attacker to trigger a denial-of-service condition in any server-side application that uses "UAParser(headers).withClientHints()". A single request with a ~32,000-character model value can consume over 400ms of CPU time, with parsing time growing polynomially with input length. The impact is availability only, there is no confidentiality or integrity impact. Affected Versions "ua-parser-js" versions ">=2.0.1, <=2.0.9" are affected. The "withClientHints()" API is not present in version "0.7.x" or "1.x". Patches A patch has been released to fix the vulnerable regular expression and limit the Client Hints input. Users should update to version "2.0.10" or later. References - "Regular expression Denial of Service - ReDoS (OWASP)" (https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) Credits Thanks to "@sondt99" (https://github.com/sondt99), who first reported the issue.