Skip to content

Security: Fix CVE-2023-26115 (word-wrap ReDoS)#24

Closed
vmrh21 wants to merge 1 commit intotest/workflow-cve-41174from
fix/cve-2023-26115-word-wrap-attempt-1
Closed

Security: Fix CVE-2023-26115 (word-wrap ReDoS)#24
vmrh21 wants to merge 1 commit intotest/workflow-cve-41174from
fix/cve-2023-26115-word-wrap-attempt-1

Conversation

@vmrh21
Copy link
Copy Markdown
Owner

@vmrh21 vmrh21 commented Feb 26, 2026

Date: 2026-02-26

Summary

This PR fixes CVE-2023-26115 by adding npm override for word-wrap ^1.2.5. This forces all transitive dependencies to use the patched version, resolving a Regular Expression Denial of Service (ReDoS) vulnerability.

CVE Details

  • CVE ID: CVE-2023-26115
  • Package: word-wrap
  • Severity: Moderate (CVSS 5.3)
  • Impact: Regular Expression Denial of Service (ReDoS)
  • Vulnerable versions: < 1.2.5
  • Fixed version: 1.2.5
  • Jira Issues: RHOAIENG-427

Fix Method

Used npm overrides field (recommended approach for this monorepo):

{
  "overrides": {
    "word-wrap": "^1.2.5"
  }
}

Files Changed (4 total)

  • package.json (added overrides)
  • package-lock.json
  • backend/package-lock.json
  • frontend/package-lock.json

Test Results ✅

Status: All tests passed
Test command: npm test
Duration: 44s

Test Summary
  • Test Suites: 4 passed, 4 total
  • Tests: 30 passed, 30 total
  • Backend: PASSED
  • Frontend: PASSED (lint + jest + type-check)

Breaking Changes

None - word-wrap 1.2.5 is a pure security patch with no API changes.

Verification

Before:

word-wrap@1.2.3 (vulnerable)

After:

word-wrap@1.2.5 overridden
CVE-2023-26115 no longer in npm audit

Testing Checklist

  • Pre-PR automated tests executed and passed
  • Verified word-wrap@1.2.5 with npm list word-wrap
  • Verified CVE resolved with npm audit
  • All monorepo lock files updated (root, backend, frontend)
  • Review no unexpected formatting changes in production

Risk Assessment

Category Risk Level Notes
Breaking Changes None Pure security patch
Dependency Conflicts Low No conflicts detected
Rollback Complexity Low Simple revert

🤖 Generated by CVE Fixer Workflow

@claude
Fix CVE-2023-26115: word-wrap ReDoS Vulnerability
52c8134 
- Add npm override for word-wrap ^1.2.5 to fix CVE-2023-26115
- Update all lock files in monorepo (root, backend, frontend)
- Resolves RHOAIENG-427

CVE Details:
- CVE ID: CVE-2023-26115
- Package: word-wrap
- Severity: Moderate (CVSS 5.3)
- Impact: Regular Expression Denial of Service (ReDoS)
- Vulnerable versions: < 1.2.5
- Fixed version: 1.2.5

Files Changed (4 total):
- package.json (added overrides)
- package-lock.json
- backend/package-lock.json
- frontend/package-lock.json

Breaking Changes:
- None - pure security patch

Testing:
- Verified word-wrap@1.2.5 via npm list
- Confirmed CVE no longer in npm audit
- All automated tests passed (4 suites, 30 tests)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@vmrh21
Copy link
Copy Markdown
Owner Author

vmrh21 commented Feb 26, 2026

Closing for fresh test run

@vmrh21 vmrh21 closed this Feb 26, 2026
@vmrh21 vmrh21 deleted the fix/cve-2023-26115-word-wrap-attempt-1 branch February 26, 2026 16:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vmrh21