Bug 1995793 (CVE-2021-23425)

Summary: CVE-2021-23425 nodejs-trim-off-newlines: ReDoS via string processing
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: extras-orphan, kaycoth, ldap-maint, michal.skrivanek, mperina, proguski, psegedy, sbonazzo, sgratch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in nodejs-trim-off-newlines. All versions of package trim-off-newlines are vulnerable to Regular Expression Denial of Service (ReDoS) via string processing. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 09:03:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1995794, 1996701, 1996702, 1997713    
Bug Blocks: 1995796    

Description Guilherme de Almeida Suckevicz 2021-08-19 18:51:02 UTC 
All versions of package trim-off-newlines are vulnerable to Regular Expression Denial of Service (ReDoS) via string processing.

Reference:
https://snyk.io/vuln/SNYK-JS-TRIMOFFNEWLINES-1296850
Comment 1 Guilherme de Almeida Suckevicz 2021-08-19 18:51:16 UTC 
Created nodejs-trim-off-newlines tracking bugs for this issue:

Affects: fedora-33 [bug 1995794]
Comment 6 Przemyslaw Roguski 2021-08-23 14:12:27 UTC 
The affected code is:
https://github.com/stevemao/trim-off-newlines/blob/master/index.js#L6

there is no fix yet on the upstream side
Comment 7 juneau 2021-08-24 14:54:56 UTC 
Marking hosted services 'notaffected.'
Packages present in nodejs package-lock.json but no references in code; appears this vulnerability is not exposed.
Comment 9 errata-xmlrpc 2022-05-26 16:22:08 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2022:4711 https://access.redhat.com/errata/RHSA-2022:4711