A flaw was discovered in is-myjson-valid before 1.4.1 and 2.17.2. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. It used a regular expression (/^\S+@\S+$/) in order to validate emails. This can cause an impact of about 10 seconds matching time for data 90K characters long. Upstream patch: https://github.com/mafintosh/is-my-json-valid/commit/b3051b277f7caa08cd2edc6f74f50aeda65d2976 Upstream issue: https://github.com/mafintosh/is-my-json-valid/pull/159 External References: https://snyk.io/vuln/npm:is-my-json-valid:20180214
Created nodejs-is-my-json-valid tracking bugs for this issue: Affects: fedora-all [bug 1546358]
NodeJS is shipped in Openshift Enterprise 3.9 as ImageStreams. Those ImageStreams are the RH Software Collection images. Setting Openshift Enterprise 3 as not affected.
Statement: In Red Hat Quay the is-my-json-valid library is included as a build time dependency of protractor. It's only used at build time, not at runtime reducing the impact to low.
This issue has been addressed in the following products: Red Hat Quay 3 Via RHSA-2021:3917 https://access.redhat.com/errata/RHSA-2021:3917