The forwarded module is used by the Express.js framework to handle the X-Forwarded-For header. It is vulnerable to a regular expression denial of service when it's passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition. References: https://nodesecurity.io/advisories/527 Upstream patch: https://github.com/jshttp/forwarded/commit/d469116eda4931fbe1c0ccb29497b35930bfa328
Created nodejs-forwarded tracking bugs for this issue: Affects: fedora-all [bug 1500251]
Created nodejs-forwarded tracking bugs for this issue: Affects: openshift-1 [bug 1516726]
Could not find any usages of vulnerable Express API calls mentioned in Express security notification. "This may affect your application if the following APIs are used: req.host, req.hostname, req.ip, req.ips, req.protocol." https://expressjs.com/en/changelog/4x.html#4.16.0 Marking RHMAP as notaffected.