{"id":"CVE-2021-21317","details":"uap-core in an open-source npm package which contains the core of BrowserScope's original user agent string parser. In uap-core before version 0.11.0, some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. This is fixed in version 0.11.0. Downstream packages such as uap-python, uap-ruby etc which depend upon uap-core follow different version schemes.","aliases":["GHSA-p4pj-mg4r-x6v4"],"modified":"2026-04-12T01:01:13.200507Z","published":"2021-02-16T18:15:12.583Z","related":["GHSA-p4pj-mg4r-x6v4"],"references":[{"type":"ADVISORY","url":"https://github.com/ua-parser/uap-core/security/advisories/GHSA-p4pj-mg4r-x6v4"},{"type":"ADVISORY","url":"https://www.npmjs.com/package/uap-core"},{"type":"FIX","url":"https://github.com/ua-parser/uap-core/commit/dc9925d458214cfe87b93e35346980612f6ae96c"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ua-parser/uap-core","events":[{"introduced":"0"},{"fixed":"01ccff6ccaaa9216405da120636a35fe38286bae"},{"fixed":"dc9925d458214cfe87b93e35346980612f6ae96c"}],"database_specific":{"cpe":"cpe:2.3:a:uap-core_project:uap-core:*:*:*:*:*:node.js:*:*","source":["CPE_FIELD","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"0.11.0"}]}}],"versions":["java-1.2.2","java-1.3.0","php-3.3","semver","v0.1.0","v0.1.1","v0.10.0","v0.2.0","v0.2.1","v0.2.2","v0.2.3","v0.2.4","v0.3.0","v0.3.1","v0.3.2","v0.3.4","v0.6.0","v0.6.1","v0.6.11","v0.6.2","v0.6.3","v0.6.4","v0.6.5","v0.6.6","v0.6.7","v0.6.8","v0.6.9","v0.7.0","v0.7.1","v0.7.2","v0.7.3","v0.8.0","v0.9.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-21317.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}