This affects the package codemirror between versions 5.32.0 to 5.58.1 inclusive; the package org.apache.marmotta.webjars:codemirror before 5.58.2. The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.js#L129. The ReDOS vulnerability of the regex is mainly due to the sub-pattern (s|/*.*?*/)* Reference: https://snyk.io/vuln/SNYK-JS-CODEMIRROR-1016937 Upstream patch: https://github.com/codemirror/CodeMirror/commit/55d0333907117c9231ffdf555ae8824705993bbb
Created nodejs-codemirror tracking bugs for this issue: Affects: epel-all [bug 1893301] Affects: fedora-all [bug 1893300]
External References: https://snyk.io/vuln/SNYK-JS-CODEMIRROR-1016937
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-7760