[email protected] rejected Risk: 43 MIT 2017-07-12

useragent @2.2.1

rejected

This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.

npm Repository Homepage Tarball

Risk Score

MIT

License

Yes

Install Scripts

Dependencies

Dev Dependencies

38.7 KB

Package Size

2017-07-12

Published

Fastest, most accurate & effecient user agent string parser, uses Browserscope's research for parsing

Maintainers

v13rdeden

Keywords

agentbrowserbrowserscopeosparseparseruaua-parseua-parseruser agentuseruser-agentuseragentversion

Dependencies (2)

Package	Constraint	Registry Status
tmp	0.0.x	No greenflagged match
lru-cache	2.2.x	auto_approved

Dev Dependencies (7)

Package	Constraint	Registry Status
mocha	*	auto_approved
semver	1.0.x	auto_approved
should	*	auto_approved
request	2.9.x	No greenflagged match
pre-commit	0.0.x	No greenflagged match
yamlparser	0.0.x	auto_approved
long-stack-traces	0.1.x	auto_approved

Transitive Dependency Tree

2 transitive deps max depth 1

├─ lru-cache 2.2.x → 2.2.4

├─ tmp 0.0.x

Changes from v0.1.2

Dependency Changes

Change	Package	Version
added	tmp	0.0.x
added	lru-cache	2.2.x

Script Changes

+ qa+ test+ update+ prepublish

License Changed

none → none

File Changes

14 added 7 removed 2 modified size delta: -814.0 KB

Risk Dispositions (1 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule	Source	Disposition	Author	Reason
`osv:GHSA-mgfv-m47x-4wqp`	osv	reject	AI	AI (osv): ReDoS vulnerability (CVSS 7.5) affects all versions <= 2.3.0 with no fix published. Verdict generalizes to all versions in the affected range.

SAST Findings (2)

CRITICAL GHSA-mgfv-m47x-4wqp: useragent Regular Expression Denial of Service vulnerability osv

[Always reject] CVSS 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Useragent is a user agent parser for Node.js. All versions as of time of publication contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). ## PoC ```js async function exploit() { const useragent = require(\"useragent\"); // Create a malicious user-agent that leads to excessive backtracking const maliciousUserAgent = 'Mozilla/5.0 (' + 'X'.repeat(30000) + ') Gecko/20100101 Firefox/77.0'; // Parse the malicious user-agent const agent = useragent.parse(maliciousUserAgent); // Call the toString method to trigger the vulnerability const result = await agent.device.toString(); console.log(result); } await exploit(); ```

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 43. Findings: 1 critical (+40), 1 low (+3).

Commit: f7f8011cc55e Browse source

Published to npm: 2017-07-12