This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.
References
- https://nvd.nist.gov/vuln/detail/CVE-2021-23424
- https://github.com/Tjatse/ansi-html/issues/19
- https://snyk.io/vuln/SNYK-JS-ANSIHTML-1296849
- https://github.com/ioet/time-tracker-ui/security/advisories/GHSA-4fjc-8q3h-8r69
- https://github.com/Tjatse/ansi-html/commit/8142b25bca3133ea060bcc1889277dc482327a63
- https://github.com/advisories/GHSA-whgm-jr23-g3j9