You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
Denial of Service in uap-core when processing crafted User-Agent strings
High severity
GitHub Reviewed
Published
Mar 6, 2020
in
ua-parser/uap-ruby
•
Updated Jan 9, 2023
Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings.
Impact
Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings.
Patches
Please update
uap-ruby
to >= v2.6.0For more information
GHSA-cmcx-xhr8-3w9p
Reported in
uap-core
by Ben Caller @bcallerReferences