Bug 2494807 (CVE-2026-45822)

Summary: CVE-2026-45822 decode-uri-component: decode-uri-component: Denial of Service via crafted input
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: akostadi, amasferr, anthomas, anujha, asoldano, bbaranow, bdettelb, bmaxwell, bstansbe, dlofthou, dmayorov, doconnor, dymurray, ehelms, fmariani, ggainey, gmalinko, ibolton, istudens, ivassile, iweiss, janstey, jkoehler, jlledo, jmatthew, jmontleo, jpasqual, juwatts, jwon, kaycoth, kshier, lchilton, lphiri, mcarlett, mhulan, mosmerov, msvehla, mwringe, nmoumoul, nwallace, osousa, pantinor, pberan, pcreech, pdelbell, pesilva, pgaikwad, pjindal, pmackay, rchan, rhel-process-autobot, rjohnson, rstancel, rstepani, sfeifer, slucidi, smallamp, sseago, stcannon, tcunning, teagle, thjenkin, tmalecek, tsedmik, vdosoudi, watson-tool-maintainers, yfang, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the `decode-uri-component` library. This vulnerability allows a remote attacker to trigger a Denial of Service (DoS) by submitting specially crafted input. The `decode()` function, when processing a large number of encoded URI components, consumes excessive CPU resources, which can lead to the application becoming unresponsive and unavailable.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-30 09:01:29 UTC
decode-uri-component through 0.4.1 is vulnerable to denial of service. The decode() function splits input on '%' producing N tokens and calls decodeComponents(), exhibiting super-linear parsing time: 200 '%ab' tokens takes approximately 0.7s, 700 tokens approximately 6s, and 1400 tokens approximately 33s. An attacker can cause significant CPU consumption and event-loop blocking via crafted input.