negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa.
The header for "Accept-Language", when parsed by negotiator is vulnerable to Regular Expression Denial of Service via a specially crafted string.
Created nodejs-negotiator tracking bugs for this issue:
Affects: fedora-all [bug 1347678]
Affects: epel-all [bug 1347679]
This issue has been addressed in the following products:
Red Hat OpenShift Enterprise 3.2
Red Hat OpenShift Enterprise 3.1
Via RHSA-2016:1605 https://access.redhat.com/errata/RHSA-2016:1605