charset 1.0.0 and below are vulnerable to regular expression denial of service. Input of around 50k characters is required for a slow down of around 2 seconds. Unless node was compiled using the -DHTTP_MAX_HEADER_SIZE= option the default header max length is 80kb, so the impact of the ReDoS is relatively low.
[
{
"product": "charset node module",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "<1.0.0"
}
]
}
]