Cyber Resilience

CVE-2021-4229

Medium

Published: 24 May 2022

Published
24 May 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
EPSS Score 0.0086 75.5th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-4229 is a medium-severity Hidden Functionality (CWE-912) vulnerability in Ua-Parser-Js Project Ua-Parser-Js. Its CVSS base score is 5.0 (Medium).

Operationally, ranked in the top 24.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other AI Platforms.

EU & UK References

Vulnerability details

A vulnerability was found in ua-parser-js 0.7.29/0.8.0/1.0.0. It has been rated as critical. This issue affects the crypto mining component which introduces a backdoor. Upgrading to version 0.7.30, 0.8.1 and 1.0.1 is able to address this issue. It is recommended…

more

to upgrade the affected component.

CWE(s)

AI Security AnalysisAI

AI Category
Other AI Platforms
Risk Domain
N/A
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: backdoor

Related Threats

Affected Assets

ua-parser-js project
ua-parser-js
0.7.29, 0.8.0, 1.0.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-912 CWE-829

Documenting every system component at the required granularity and reviewing the inventory detects or prevents hidden functionality from remaining undetected.

addresses: CWE-829 CWE-912

Strategy mandates assessment of third-party components and suppliers, directly reducing inclusion of functionality from untrusted control spheres.

addresses: CWE-829 CWE-912

Requires use of trusted sources and provenance tracking, tangibly limiting inclusion of functionality from untrusted control spheres.

addresses: CWE-912 CWE-829

Addresses hidden functionality by mandating evidence that the system or component contains no undocumented or unauthorized capabilities that could be exploited.

addresses: CWE-829 CWE-912

Reimplementing critical components avoids pulling in functionality from untrusted external control spheres.

addresses: CWE-912 CWE-829

Inspection can reveal hidden functionality that an attacker has introduced via tampering or unauthorized modification.

addresses: CWE-829 CWE-912

Anti-counterfeit procedures directly block inclusion of components originating from untrusted supply-chain actors.

addresses: CWE-829 CWE-912

Documenting component provenance ensures functionality is only included from verified, trusted control spheres rather than untrusted ones.

References