negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for “Accept-Language”, when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted string.
[
{
"product": "negotiator node module",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "<= 0.6.0"
}
]
}
]