The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.
While some components do package a vulnerable version of nodejs browserslist library, access to them requires OpenShift OAuth credentials and hence have been marked with a Low impact.
This applies to the following products:
- OpenShift Container Platform (OCP)
- OpenShift ServiceMesh (OSSM)
In Red Had Quay , whilst a vulnerable version of `browserslist` is included in the quay-rhel8 container it is a development dependency only, therefor the impact is low.