@github1/ajax-service (>=0.4.0-next.0 <=0.4.44), @github1/react-redux-common-modules (>=0.4.39-next.0 <=0.4.39-next.8) +47 more potentially affected by CVE-2021-33502 via normalize-url (>=4.3.0 <=4.5.0)

normalize-url NPM version =4.3.0, =0.4.0-next.0, =0.4.39-next.0, =5.1.0, =5.7.5 - @plaa/metascraper =5.4.0 - @plaa/metascraper-amazon =5.4.0 - @plaa/metascraper-audio =5.4.0 - @plaa/metascraper-author =5.4.0 - @plaa/metascraper-date =5.4.0 - @plaa/metascraper-description =5.4.0 -...

Regular Expression Denial Of Service (ReDoS)

normalize-url is vulnerable to regular expression denial of service. The usage of an insecure regex allows an attacker to cause a denial of service condition via a malicious URL string...

AZL-44850 CVE-2021-33502 affecting package nodejs-nodemon 2.0.3-5

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS regular expression denial of service issue because it has exponential performance for data: URLs...