search

facebook / fbjs

A collection of utility libraries used by other Meta JS projects.
MIT License
1.95k stars 313 forks source link

ua-parser-js Dependency Security vulnerability #456

Closed xmalderaan closed 2 years ago

xmalderaan commented 3 years ago

Hello there, Our organization relies on open-source scanners such as WhiteSource and Snyk, and these systems warned us of the following security vulnerability:

ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.

One of our products depends on a library which depends on the latest version of fbjs. At time of writing, fbjs depends on "ua-parser-js": "^0.7.18"

Could someone please look at bumping this up?

zpao commented 2 years ago

3.0.1 and 0.8.18 have been published with later dependencies