daKmoR
commented
5 years ago just got the same report 😿
it seems to be already fixed on master? 🎉
would it be possible to release a new version 🤗 pretty please 🤗
Open vvscode opened 5 years ago
daKmoR
commented
5 years ago just got the same report 😿
it seems to be already fixed on master? 🎉
would it be possible to release a new version 🤗 pretty please 🤗
mastermatt
commented
5 years ago @3rd-Eden is this on your radar by chance?
daKmoR
commented
4 years ago friendly reminder 🤗
vvscode
commented
4 years ago as temporary solution I've added
app.use((req, res, next) => {
req.headers['user-agent'] = `${req.headers['user-agent']}`.substr(0, 150);
next();
});@3rd-Eden ping
vvscode
commented
4 years ago 
jfurler
commented
4 years ago Friendly bump @3rd-Eden. We'd really appreciate a release, if that would fix the issue.
ccapiaux
commented
4 years ago @3rd-Eden do you have an update on the fix? (https://twitter.com/vvscode/status/1158378665555746821)
ccapiaux
commented
4 years ago as temporary solution I've added
app.use((req, res, next) => { req.headers['user-agent'] = `${req.headers['user-agent']}`.substr(0, 150); next(); });Is this the only alternative / workaround for now? Has anyone considered either 1. releasing the fix separately or 2. using an alternative library?
Side:
An attempt to fix the vulnerability has been pushed to master.
Is @3rd-Eden the only contributor who can release a fixed version? @davidkwan95 and @ChALkeR I see you both have contributed to the repository in 2019.
Thanks a lot in advance for future replies! :)
mitermayer
commented
4 years ago Can someone fork this and apply this patch ?
huntr-helper
commented
3 years ago We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded 💰? Go to https://huntr.dev/
We will submit a pull request directly to your repository with the fix as soon as possible. Want to learn more? Go to https://github.com/418sec/huntr 📚
Automatically generated by @huntr-helper...
yahanvesh
commented
3 years ago Hi team, its more than a year since no update for the fix, can someone suggest an alternative for this module?
vvscode
commented
3 years ago I continue using it, just added a patch with https://github.com/ds300/patch-package
liamcmitchell-sc
commented
2 years ago The uap-core library of regexes that this is built on continue to be updated: https://github.com/ua-parser/uap-core/issues/495 This project is already set up to download the latest regexes, nothing more we can do here.
Alternatives:
Regular Expression Denial of Service (ReDoS) Vulnerable module: useragent Introduced through: useragent@2.3.0 Detailed paths Introduced through: useragent@2.3.0 Overview useragent allows you to parse user agent string with high accuracy by using hand tuned dedicated regular expressions for browser matching.
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when passing long user-agent strings.
This is due to incomplete fix for this vulnerability: https://snyk.io/vuln/SNYK-JS-USERAGENT-11000.
An attempt to fix the vulnerability has been pushed to master.
https://snyk.io/vuln/SNYK-JS-USERAGENT-11000