Back to overview

CVE-2026-48125

MEDIUM
5.3
CVSS 3.1
Description
UAParser.js is a JavaScript library to detect browsers, operating systems, CPUs, and devices from user-agent data. From 2.0.1 until 2.0.10, a regular expression denial-of-service vulnerability exists when using the Client Hints API. By sending a crafted Sec-CH-UA-Model header to an application that calls UAParser(headers).withClientHints(), an attacker can cause excessive CPU time due to catastrophic backtracking in the device regex because Client Hints values are copied without the UA_MAX_LENGTH limit used for User-Agent values. This issue is fixed in version 2.0.10.

Metadata

CVE ID
CVE-2026-48125
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-05-20 18:46 UTC
Published
2026-07-14 20:54 UTC
Last updated
2026-07-14 20:54 UTC
Primary CWE
CWE-400
CWE-400: Uncontrolled Resource Consumption
Vendor / Product
faisalman / ua-parser-js
Sources
cve.org  ·  NVD

Severity & Metrics

5.3 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected products (1)
VendorProductPlatformVersions
faisalman ua-parser-js >= 2.0.1, < 2.0.10
Weakness (CWE)
CWESourceDescription
CWE-1333 cna CWE-1333: Inefficient Regular Expression Complexity
CWE-400 cna CWE-400: Uncontrolled Resource Consumption
CVSS scores (1)
ScoreSeverityVersionSourceVector
5.3 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
References (3)
Back to overview