A regular expression used for parsing POSIX paths could be used to cause a denial of service if an attacker were able to have a specially crafted path string passed through one of the impacted 'path' module functions.
Created nodejs tracking bugs for this issue:
Affects: fedora-all [bug 1562027]
Affects: epel-all [bug 1562026]
Upstream commits for nodejs-4 implementation :
Contrary to what upstream changelog suggests, it appears that this CVE affects only nodejs-4.x. Node.js 6 and above had the 'path' library rewritten to avoid inefficient regular expressions.
In Node.js 4, the fix was to backport the newer path parsing method from Node.js 8.
NodeJS is only provided in Openshift Enterprise 3.9 via Red Hat Software Collections. Changing Openshift Enterprise to not affected.