OCPBUGS-94130: Fix CVE-2026-45822 decode-uri-component DoS vulnerability#16704
OCPBUGS-94130: Fix CVE-2026-45822 decode-uri-component DoS vulnerability#16704jrangelramos wants to merge 1 commit into
Conversation
|
@jrangelramos: This pull request references Jira Issue OCPBUGS-94130, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: jrangelramos The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository: openshift/coderabbit/.coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
Walkthrough
Changesfrontend package configuration
Estimated code review effort: 1 (Trivial) | ~2 minutes 🚥 Pre-merge checks | ✅ 14 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (14 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
@jrangelramos: This pull request references Jira Issue OCPBUGS-94130, which is valid. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/retest-required |
Bump decode-uri-component from 0.2.0 to 0.5.0 via yarn resolutions to fix a denial of service vulnerability where crafted input causes super-linear parsing time in decodeComponents(). Version 0.5.0 rewrites the decoder as a single-pass UTF-8 scanner, eliminating the issue. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
e20e3b4 to
4ddadd1
Compare
|
/retest-required |
|
@jrangelramos: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Analysis / Root cause
decode-uri-componentthrough 0.4.1 is vulnerable to denial of service (CVE-2026-45822, CVSS 7.5). Thedecode()function splits input on%and callsdecodeComponents(), which exhibits super-linear parsing time — 200%abtokens take ~0.7s, 700 tokens ~6s, 1400 tokens ~33s. An attacker can cause significant CPU consumption and event-loop blocking via crafted input.The package is a transitive dependency pulled in by two paths:
@console/git-service→gitlab@10.0.1→query-string@6.8.3→decode-uri-component@0.2.0snapdragon@0.8.2→source-map-resolve@0.5.3→decode-uri-component@0.2.0Solution description
Bump
decode-uri-componentfrom 0.2.0 to 0.5.0 via yarn resolutions infrontend/package.json. Version 0.5.0 (upstream commit) rewrites the decoder as a single-pass UTF-8 scanner, eliminating the super-linear parsing behavior entirely.This follows the existing pattern used for other CVE resolution overrides (
shell-quote,protobufjs,fast-uri, etc.).Test cases
yarn installcompletes without errorswebpack --mode=production) succeedsAdditional info
Summary by CodeRabbit
0.5.0for more consistent builds and fewer runtime surprises.decode-uri-componentis processed during tests instead of being ignored, improving test coverage accuracy and reliability.