The `'path'` module in the Node.js 4.x release line contains a potential
regular expression denial of service (ReDoS) vector. The code in question
was replaced in Node.js 6.x and later so this vulnerability only impacts
all versions of Node.js 4.x. The regular expression, `splitPathRe`, used
within the `'path'` module for the various path parsing functions,
including `path.dirname()`, `path.extname()` and `path.parse()` was
structured in such a way as to allow an attacker to craft a string, that
when passed through one of these functions, could take a significant amount
of time to evaluate, potentially leading to a full denial of service.
Upstream:released (6.0.0~dfsg-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):needed
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (8.10.0~dfsg-2)
Ubuntu 19.10 (Eoan Ermine):not-affected (8.10.0~dfsg-2)
Ubuntu 20.04 (Focal Fossa):not-affected (8.10.0~dfsg-2)
More Information

Updated: 2020-01-29 18:55:45 UTC (commit 40f18bf14da5fb50662e1f861ea594a462b207fe)