The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs. Reference: https://github.com/sindresorhus/normalize-url/releases/tag/v6.0.1
Looks like this only affects v4.4.0 on-wards as the `normalizeDataUrl` only got added here: https://github.com/sindresorhus/normalize-url/commit/7df5aff5024f848a4bf69a6513bdffe8e5f10bcb and wasn't moved from another location. Haven't look if that regex is vuln itself, but is changed pretty frequently and also seems likely. The quay-registry-container includes v1.9.0 and does not included the vulnerability.
Upstream fix: https://github.com/sindresorhus/normalize-url/commit/b1fdb5120b6d27a88400d8800e67ff5a22bd2103
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:2931 https://access.redhat.com/errata/RHSA-2021:2931
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:2932 https://access.redhat.com/errata/RHSA-2021:2932
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-33502
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:5171 https://access.redhat.com/errata/RHSA-2021:5171
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:0246 https://access.redhat.com/errata/RHSA-2022:0246
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0350 https://access.redhat.com/errata/RHSA-2022:0350
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2022:4711 https://access.redhat.com/errata/RHSA-2022:4711
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:6595 https://access.redhat.com/errata/RHSA-2022:6595