negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa.
The header for "Accept-Language", when parsed by negotiator is vulnerable to Regular Expression Denial of Service via a specially crafted string.
Upgrade to at least version 0.6.1
Express users should update to Express 4.14.0 or greater. If you want to see
if you are using a vulnerable call, a quick grep for the
function call in your application will tell you if you are using this