faisalman
commented
6 years ago Hi @tomxhu , while it's true that ua-parser-js had experienced a ReDoS issue, it has been fixed in v0.7.18 (see #291). The ua-parser library mentioned in the article is a different library with similar name which hasn't been updated for 4 years (hence why it's advised to migrate). However, if you still found another ReDoS vulnerability in ua-parser-js please feel free to open a new issue here.
zpao
https://nvd.nist.gov/vuln/detail/CVE-2017-16086
There seems to be a ReDoS issue with this library that is used here in fbjs: https://github.com/facebook/fbjs/blob/d308fa83c99c93e8e588de3396cf55b31e56b14e/packages/fbjs/src/__forks__/UserAgentData.js
There's no patch for ua-parser-js right now and they suggest migrating to https://www.npmjs.com/package/useragent