CVE-2021-27292

NameCVE-2021-27292
Descriptionua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs985568

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-ua-parser-js (PTS)buster0.7.14-1vulnerable
bullseye0.7.24+ds-1fixed
bookworm, sid0.8.1+ds+~0.7.36-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-ua-parser-jssource(unstable)0.7.24+ds-1985568

Notes

[buster] - node-ua-parser-js <no-dsa> (Minor issue)
https://gist.github.com/b-c-ds/6941d80d6b4e694df4bc269493b7be76
https://github.com/faisalman/ua-parser-js/commit/809439e20e273ce0d25c1d04e111dcf6011eb566
Search for package or bug name: Reporting problems