All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Created nodejs-path-parse tracking bugs for this issue:
Affects: fedora-all [bug 1956819]
Analysis is complete for AAP 1.2 and as a result, I found that none of the AAP components do use the concerned vulnerable functions i.e. getAnnotationURL() and loadAnnotation(). Hence, marking AAP as "Not Affected" .
Correcting the vulnerable functions : splitDeviceRe, splitTailRe and splitPathRe. None of these are used by AAP 1.2 and its components.
In Red Had Quay , whilst a vulnerable version of `path-parse` is included in the quay-rhel8 container it is a development dependency only, hence the impact by this vulnerability is low.