CVE-2022-25927 Overview
CVE-2022-25927 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting the popular ua-parser-js npm package. The vulnerability exists in the trim() function, which utilizes an inefficient regular expression pattern that can be exploited by attackers to cause catastrophic backtracking, resulting in application unavailability.
Critical Impact
Remote attackers can send specially crafted input to the trim() function, causing excessive CPU consumption and effectively rendering Node.js applications unresponsive.
Affected Products
- ua-parser-js versions from 0.7.30 and before 0.7.33
- ua-parser-js versions from 0.8.1 and before 1.0.33
- Node.js applications using vulnerable ua-parser-js versions
Discovery Timeline
- 2023-01-26 - CVE-2022-25927 published to NVD
- 2025-04-01 - Last updated in NVD database
Technical Details for CVE-2022-25927
Vulnerability Analysis
This vulnerability stems from an unsafe regular expression pattern within the trim() function of the ua-parser-js library. Regular Expression Denial of Service (ReDoS) attacks exploit the exponential time complexity that certain regex patterns exhibit when processing specially crafted input strings. In this case, the vulnerable regex /\s\s*$/ used for trimming trailing whitespace contains a pattern that can lead to catastrophic backtracking when fed malicious input.
The ua-parser-js library is widely used for parsing User-Agent strings in web applications and Node.js servers. Due to its prevalence in the JavaScript ecosystem, this vulnerability has significant potential impact across numerous applications that process user-controlled User-Agent headers.
Root Cause
The root cause lies in the inefficient regular expression /\s\s*$/ used to trim trailing whitespace from strings. This pattern, combined with /^\s\s*/ for leading whitespace, creates a situation where the regex engine performs excessive backtracking operations when encountering certain input patterns. The fix removes the trailing whitespace regex entirely, eliminating the attack surface.
Attack Vector
The vulnerability is exploitable over the network without authentication. An attacker can craft malicious input strings that, when passed to the trim() function, trigger catastrophic backtracking in the regex engine. This can be accomplished by sending specially crafted User-Agent strings or other input that eventually reaches the vulnerable function, causing the Node.js event loop to block and the application to become unresponsive.
},
trim = function (str, len) {
if (typeof(str) === STR_TYPE) {
- str = str.replace(/^\s\s*/, EMPTY).replace(/\s\s*$/, EMPTY);
+ str = str.replace(/^\s\s*/, EMPTY);
return typeof(len) === UNDEF_TYPE ? str : str.substring(0, UA_MAX_LENGTH);
}
};
Source: GitHub Security Patch
Detection Methods for CVE-2022-25927
Indicators of Compromise
- Unusual CPU spikes in Node.js processes handling User-Agent parsing
- Application timeouts or unresponsiveness when processing HTTP requests
- Log entries showing excessively long request processing times for endpoints parsing User-Agent strings
Detection Strategies
- Implement dependency scanning in CI/CD pipelines to identify vulnerable ua-parser-js versions (0.7.30 to 0.7.32 and 0.8.1 to 1.0.32)
- Monitor application performance metrics for anomalous CPU utilization patterns
- Use Software Composition Analysis (SCA) tools to audit npm dependencies for known vulnerabilities
Monitoring Recommendations
- Enable application performance monitoring (APM) to detect latency anomalies in request processing
- Configure alerting for Node.js event loop lag exceeding normal thresholds
- Implement request timeout policies to prevent long-running regex operations from blocking the event loop
How to Mitigate CVE-2022-25927
Immediate Actions Required
- Update ua-parser-js to version 0.7.33 or later for the 0.7.x branch
- Update ua-parser-js to version 1.0.33 or later for the 0.8.x/1.0.x branch
- Audit all applications and dependencies that include ua-parser-js as a transitive dependency
- Run npm audit or yarn audit to identify vulnerable packages in your dependency tree
Patch Information
The vulnerability has been patched in ua-parser-js versions 0.7.33 and 1.0.33. The fix removes the vulnerable trailing whitespace regex pattern from the trim() function. The security patch is available via the official GitHub commit. Additional technical details can be found in the Snyk Vulnerability Report.
Workarounds
- Implement request timeout middleware to prevent long-running operations from blocking application responsiveness
- Apply rate limiting on endpoints that process User-Agent strings to reduce attack surface
- Consider input length validation before passing strings to the ua-parser-js library
# Update ua-parser-js to patched version
npm update ua-parser-js
# Or install specific patched versions
npm install ua-parser-js@0.7.33 # For 0.7.x branch
npm install ua-parser-js@1.0.33 # For 1.0.x branch
# Verify no vulnerable versions remain
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
