Bcaller

Name of the Vulnerable Software and Affected Versions: Engine.IO versions prior to 4.0.0 Description: The issue allows attackers to cause a denial of service via a POST request to the long polling transport, resulting in resource consumption. This can be achieved by sending a POST request to the `"/longpolling"` endpoint, although the exact endpoint is not explicitly mentioned in the provided descriptions. Recommendations: For versions prior to 4.0.0, update to version 4.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the long polling transport to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: socket.io-parser versions prior to 3.4.1 Description: The issue allows attackers to cause a denial of service due to memory consumption via a large packet, as a concatenation approach is used. Recommendations: For versions prior to 3.4.1, update to version 3.4.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** uap-core versions prior to 0.7.3 **Description** The issue allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. This is due to some regexes being vulnerable to regular expression denial of service (REDoS) because of overlapping capture groups. Each vulnerable regular expression contains 3 overlapping capture groups, and backtracking has approximately cubic time complexity with respect to the length of the user-agent string. **Recommendations** Update uap-core to version 0.7.3 or later to resolve the issue. As a temporary workaround, consider restricting the length of the User-Agent header in HTTP(S) requests to prevent exploitation. Additionally, disabling or restricting the use of the vulnerable regexes can help minimize the risk of exploitation until a patch is applied.