Request to Resolve CVE-2021-21317 (ReDoS Vulnerability) in Commit f7f5a2f Used by Statsig SDK

[nhphuongltv]

Hi team,

We're currently using the Statsig Go SDK, which depends on ua-parser/uap-go at commit f7f5a2f. This version is flagged by Snyk and other scanners for the following vulnerability:

• CVE-2021-21317
• GHSA-p4pj-mg4r-x6v4
• Impact: Regular Expression Denial of Service (ReDoS)

I noticed that the Statsig team previously submitted PR to address this issue in Statsig Go SDK, but the vulnerability still appears unresolved in the current commit used by the SDK.

To ensure compliance and security, we kindly request that this CVE be properly resolved and a patched version be released. Please also consider looping in tore-statsig from the Statsig team, as our company is actively working with him on Statsig integration.

Thank you for your attention to this issue!

Best regards, Phuong Nguyen, AXON INC.

[masklinn]

This issue is nonsensical:

1. uap-core implemented redos mitigations in the ruleset in v0.10.0-4 (ua-parser/uap-core@dc9925d), uap-go links to v0.18.0-30 (ua-parser/uap-core@c941f1d)
2. and the issue was never relevant to uap-go, because it uses go's regexp, which is automaton-based and guarantees a linear runtime

[nhphuongltv]

This issue is nonsensical:

1. uap-core implemented redos mitigations in the ruleset in v0.10.0-4 (ua-parser/uap-core@dc9925d), uap-go links to v0.18.0-30 (ua-parser/uap-core@c941f1d)
2. and the issue was never relevant to uap-go, because it uses go's regexp, which is automaton-based and guarantees a linear runtime

Thanks a lot for the clarification. I also see that the fix for this CVE has already landed in PR #73 and is now in master.

The Snyk report also notes: “A fix was pushed into the master branch but not yet published.”

Would it be possible to publish an official tagged SemVer release of uap-go that includes this fix?
The reason I ask is that tools like Snyk (and maybe CVE scanners) rely on official tagged releases to validate when a vulnerability is resolved. Even though the fix is already in master, without a tagged release the CVE will continue to appear in dependency scans for downstream projects (such as statsig-go-sdk).

Publishing an official release would greatly help both us and other downstream libraries (like statsig-go-sdk) consume the fixed version with confidence and clear the CVE from automated reports.

[dgoldstein0]

Would it be possible to publish an official tagged SemVer release of uap-go that includes this fix?

uap-go does not yet have any "official tagged semver" releases. Contributions for such a process would be welcome, I've just never set up releases with github before.

[nhphuongltv]

Hi @dgoldstein0 , you can create the new release from the releases page of this repo. I’m not an admin on this repository, so I don’t have permission to do it. For example, the screenshot below from another repo.

[nhphuongltv]

Hi @dgoldstein0, just following up on this—have you had a chance to take a look? Creating a new tagged release might help the Snyk Scanning Tool re-evaluate and pass the CVE check. Thanks!

[nhphuongltv]

Hi @dgoldstein0, if it’s more convenient, you could temporarily grant me Write permission on this repository—I’d be happy to help create the release. You can revoke the access right after it’s done. Let me know what works best for you. Thanks!

[brock-statsig]

Just a +1 on this from our side. Happy to take the leg work here if it makes it possible for you @dgoldstein0 and co.

[nhphuongltv]

@masklinn, @bpossolo Could you please help us to create the first release tag for this repo, thanks !