CVE-2026-48125

NameCVE-2026-48125
DescriptionUAParser.js is a JavaScript library to detect browsers, operating systems, CPUs, and devices from user-agent data. From 2.0.1 until 2.0.10, a regular expression denial-of-service vulnerability exists when using the Client Hints API. By sending a crafted Sec-CH-UA-Model header to an application that calls UAParser(headers).withClientHints(), an attacker can cause excessive CPU time due to catastrophic backtracking in the device regex because Client Hints values are copied without the UA_MAX_LENGTH limit used for User-Agent values. This issue is fixed in version 2.0.10.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-ua-parser-js (PTS)bullseye0.7.24+ds-1vulnerable
forky, sid, bookworm, trixie0.8.1+ds+~0.7.36-3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-ua-parser-jssource(unstable)(unfixed)

Notes

https://github.com/faisalman/ua-parser-js/security/advisories/GHSA-9h5v-pfqq-x599
Fixed by: https://github.com/faisalman/ua-parser-js/commit/90354d3458495628b1d3ba68a9d76673e6d14fc5 (2.0.10)

Search for package or bug name: Reporting problems