Skip to content

Security: Fix CVE-2023-26115 (word-wrap ReDoS)#18

Closed
vmrh21 wants to merge 1 commit intotest/workflow-cve-41174from
fix/cve-2023-26115-word-wrap-attempt-1
Closed

Security: Fix CVE-2023-26115 (word-wrap ReDoS)#18
vmrh21 wants to merge 1 commit intotest/workflow-cve-41174from
fix/cve-2023-26115-word-wrap-attempt-1

Conversation

@vmrh21
Copy link
Copy Markdown
Owner

@vmrh21 vmrh21 commented Feb 19, 2026
edited
Loading

Summary

This PR fixes CVE-2023-26115 by upgrading word-wrap to 1.2.5 via npm overrides.

CVE Details

  • CVE ID: CVE-2023-26115
  • Package: word-wrap
  • Severity: MODERATE (CVSS 5.3)
  • Impact: Regular Expression Denial of Service (ReDoS) vulnerability that can cause CPU exhaustion
  • Vulnerable versions: < 1.2.4
  • Fixed version: 1.2.5
  • Jira Issues: RHOAIENG-427

Fix Method

Used npm overrides field in root package.json to force word-wrap ^1.2.5 across all transitive dependencies. This is the recommended approach for fixing transitive dependency vulnerabilities.

Test Results ✅

Status: ✅ All tests passed

Test Discovery: Tests found in package.json
Test Command: npm test
Test Framework: Jest + ESLint + TypeScript
Duration: 8.3 seconds

Test Summary
  • Test Suites: 4 passed, 4 total
  • Tests: 30 passed, 30 total
  • Snapshots: 0 total
  • Components Tested:
    • Backend linting and type checking ✅
    • Frontend unit tests ✅
      • notebookControllerUtils.spec.ts
      • EnabledApplications.spec.tsx
      • ExploreApplications.spec.tsx
      • LearningCenter.spec.tsx

Verdict: The word-wrap security fix does not break any existing functionality.

Changes

Files Changed (4 total):

  1. package.json - Added npm overrides for word-wrap ^1.2.5
  2. package-lock.json - Updated root workspace
  3. backend/package-lock.json - Updated backend workspace
  4. frontend/package-lock.json - Updated frontend workspace

Note: This is a monorepo - all workspace lock files must be updated together.

Breaking Changes

None. word-wrap 1.2.5 is a pure security patch with no API changes.

Testing Checklist

  • Pre-fix verification: CVE-2023-26115 present in npm audit
  • Post-fix verification: word-wrap@1.2.5 installed
  • Post-fix verification: CVE no longer in npm audit
  • Test execution: All 30 tests passed
  • Manual functionality testing (recommended)

Risk Assessment

Risk Factor Level Details
Breaking Changes None Security patch only
Dependency Conflicts Low Override applied cleanly
Functionality Impact Very Low word-wrap is transitive dependency
Test Results ✅ Passed All automated tests passed
Rollback Complexity Very Low Single override removal

References

🤖 Generated by CVE Fixer Workflow

@vm1299 @claude
Fix CVE-2023-26115: word-wrap ReDoS Vulnerability
acc67d2 
- Add npm override for word-wrap ^1.2.5 to fix CVE-2023-26115
- Update all lock files in monorepo (root, backend, frontend)
- Resolves RHOAIENG-427

CVE Details:
- CVE ID: CVE-2023-26115
- Package: word-wrap
- Severity: MODERATE (CVSS 5.3)
- Impact: Regular Expression Denial of Service vulnerability
- Vulnerable versions: < 1.2.4
- Fixed version: 1.2.5

Files Changed (4 total):
- package.json (added overrides)
- package-lock.json
- backend/package-lock.json
- frontend/package-lock.json

Breaking Changes:
- None - word-wrap 1.2.5 is a pure security patch

Testing:
- Verified word-wrap@1.2.5 via npm list
- Confirmed CVE-2023-26115 no longer in npm audit

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@vmrh21
Copy link
Copy Markdown
Owner Author

vmrh21 commented Feb 19, 2026

Test complete - resetting for fresh test

@vmrh21 vmrh21 closed this Feb 19, 2026
@vmrh21 vmrh21 deleted the fix/cve-2023-26115-word-wrap-attempt-1 branch February 19, 2026 19:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vmrh21 @vm1299