Skip to content

Security: Fix CVE-2023-26115 (word-wrap ReDoS)#33

Closed
vmrh21 wants to merge 1 commit intotest/workflow-cve-41174from
fix/cve-2023-26115-word-wrap-attempt-1
Closed

Security: Fix CVE-2023-26115 (word-wrap ReDoS)#33
vmrh21 wants to merge 1 commit intotest/workflow-cve-41174from
fix/cve-2023-26115-word-wrap-attempt-1

Conversation

@vmrh21
Copy link
Copy Markdown
Owner

@vmrh21 vmrh21 commented Feb 26, 2026

Date: 2026-02-26

Summary

This PR fixes CVE-2023-26115 by upgrading word-wrap from 1.2.3 to 1.2.5 using npm overrides.

CVE Details

  • CVE ID: CVE-2023-26115
  • Package: word-wrap
  • Severity: MODERATE (CVSS 5.3)
  • Impact: Regular Expression Denial of Service (ReDoS) via excessive backtracking
  • Vulnerable versions: <1.2.5
  • Fixed version: 1.2.5
  • Jira Issues: RHOAIENG-427

Test Results ✅

Status: All tests passed

Tests discovered: Yes
Test command: npm test
Result: PASSED
Duration: 43.5s

Test Summary
  • Total: 30 tests
  • Passed: 30
  • Failed: 0
  • Skipped: 0

Test suites: 4 passed, 4 total

Fix Approach

  • Used npm overrides field to force word-wrap ^1.2.5
  • Updated all monorepo lock files (root, backend, frontend)
  • No application code changes required

Breaking Changes

None - this is a pure security patch with no API changes.

Testing Checklist

  • Pre-PR automated tests executed and passed
  • Verified word-wrap@1.2.5 via npm list
  • Verify CVE is resolved with security scan
  • Manual testing of affected text wrapping functionality

Files Changed

  • package.json (added overrides)
  • package-lock.json
  • backend/package-lock.json
  • frontend/package-lock.json

Risk Assessment

  • Risk Level: LOW
  • Reason: Security patch with no breaking changes
  • Testing: All existing unit tests pass

🤖 Generated by CVE Fixer Workflow

@claude
Fix CVE-2023-26115: word-wrap ReDoS Vulnerability
a8ae596 
- Add npm override for word-wrap ^1.2.5 to fix CVE-2023-26115
- Update all lock files in monorepo (root, backend, frontend)
- Resolves RHOAIENG-427

CVE Details:
- CVE ID: CVE-2023-26115
- Package: word-wrap
- Severity: MODERATE (CVSS 5.3)
- Impact: Regular Expression Denial of Service via excessive backtracking
- Vulnerable versions: <1.2.5
- Fixed version: 1.2.5

Files Changed (4 total):
- package.json (added overrides for word-wrap)
- package-lock.json
- backend/package-lock.json
- frontend/package-lock.json

Breaking Changes:
- None (security patch only)

Pre-PR Testing:
- Test framework: jest
- Test command: npm test
- Result: PASSED ✅
- Total tests: 30
- All tests passed
- Duration: 43.5s

Testing:
- Verified word-wrap@1.2.5 via npm list
- All unit tests passed

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 20, 2026

This PR is stale because it has been open 21 days with no activity. Remove stale label or comment or this will be closed in 7 days.

@github-actions github-actions bot added the Stale label Mar 20, 2026
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 27, 2026

This PR was closed because it has been stale for 21+7 days with no activity.

@github-actions github-actions bot closed this Mar 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Stale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vmrh21