Listen to this Post
How CVE-2026-48125 Works
The vulnerability is a Regular Expression Denial-of-Service (ReDoS) flaw in the `ua-parser-js` library’s Client Hints API handling. The issue stems from a missing input-length limit when processing the `Sec-CH-UA-Model` header.
Specifically, an inefficient regular expression designed to parse device model strings: `/ ([\w ]+) miui\/v?\d/i` is susceptible to catastrophic backtracking. When a long, repetitive string is passed into this regex, the parsing engine can enter a state of exponential complexity, consuming excessive CPU time.
A critical factor is the absence of an input-length constraint for Client Hints data. In contrast, the traditional `User-Agent` parsing enforces a strict 500-character limit (UA_MAX_LENGTH = 500). Because the Client Hints values are copied directly without truncation, an attacker can supply a value that is arbitrarily large.
By sending a request with a `sec-ch-ua-model` header containing a 32,000-character payload (e.g., a long string of repeating “A ” characters), the regex backtracking triggers a polynomial time increase, causing a 400ms CPU spike. This can lead to a complete Denial-of-Service (DoS) condition on the server, as vulnerable versions 2.0.1 to 2.0.9 are impacted. The attack requires no authentication and is effective on any Node.js server using the affected API.
DailyCVE Form:
Platform: Node.js ecosystem
Version: 2.0.1 – 2.0.9
Vulnerability: ReDoS via header
Severity: Medium (5.9)
date: 2026-05-21
Prediction: 2026-05-25 (v2.0.10)
What Undercode Say:
The attack vector resides in the Client Hints integration. The library fails to sanitize the `sec-ch-ua-model` value before processing.
// Vulnerable API call in server code const headers = req.headers; // Contains crafted sec-ch-ua-model const result = UAParser(headers).withClientHints();
Exploit:
Simulate a ReDoS attack by sending a crafted header
curl -H "sec-ch-ua-model: \"$(printf 'A %.0s' {1..25000})\"" \
-H "sec-ch-ua-platform: \"Android\"" \
-H "sec-ch-ua-mobile: \"?1\"" \
http://target-application.com/profile
Protection:
Update to version 2.0.10 or later of `ua-parser-js` immediately. The patch implements input-length limiting for Client Hints and fixes the vulnerable regex.
npm install [email protected]
Impact:
Availability: Unauthenticated attacker triggers full Denial-of-Service.
Performance: 400ms CPU per request (scales polynomially).
Scope: Any server-side Node.js application using `withClientHints()`.
Data: No confidentiality or integrity impact.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
