Versions of underscore.string prior to 3.3.5 are vulnerable to Regular Expression Denial of Service (ReDoS). The function unescapeHTML is vulnerable to ReDoS due to an overly-broad regex. The slowdown is approximately 2s for 50,000 characters but grows exponentially with larger inputs. Upstream issue: https://github.com/epeli/underscore.string/issues/510
This vulnerability is out of security support scope for the following product: * Red Hat Mobile Application Platform Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details