<Vulnerability name="CVE-2026-45822">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-06-30T08:05:36</PublicDate>
    <Bugzilla id="2494807" url="https://bugzilla.redhat.com/show_bug.cgi?id=2494807" xml:lang="en:us">
decode-uri-component: decode-uri-component: Denial of Service via crafted input
    </Bugzilla>
    <CVSS3 status="verified">
        <CVSS3BaseScore>7.5</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-1050</CWE>
    <Details xml:lang="en:us" source="Mitre">
decode-uri-component through 0.4.1 is vulnerable to denial of service. The decode() function splits input on '%' producing N tokens and calls decodeComponents(), exhibiting super-linear parsing time: 200 '%ab' tokens takes approximately 0.7s, 700 tokens approximately 6s, and 1400 tokens approximately 33s. An attacker can cause significant CPU consumption and event-loop blocking via crafted input.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in the `decode-uri-component` library. This vulnerability allows a remote attacker to trigger a Denial of Service (DoS) by submitting specially crafted input. The `decode()` function, when processing a large number of encoded URI components, consumes excessive CPU resources, which can lead to the application becoming unresponsive and unavailable.
    </Details>
    <Statement xml:lang="en:us">
A denial of service flaw was found in the decode-uri-component npm package. The decode() function exhibits super-linear time complexity when processing input containing many percent-encoded sequences, allowing an attacker to cause significant CPU consumption and event-loop blocking. In Red Hat products where this package is bundled (OpenShift Console, Quay, Pipelines, RHOAI, and others), exploitation requires that attacker-controlled input containing crafted percent-encoded strings reaches the decode() function without prior length validation. Red Hat rates this as Moderate severity since the impact is limited to availability with no confidentiality or integrity impact, consistent with the CNA's CVSS 4.0 assessment of 6.6 Medium.
    </Statement>
    <Mitigation xml:lang="en:us">
Validate and limit the length of any user-controlled input before passing it to decode-uri-component's decode() function. Inputs containing more than approximately 200 percent-encoded tokens (e.g. '%ab' sequences) can trigger noticeable delays. Reject or truncate URI components exceeding a reasonable length threshold before decoding. A fix exists in the upstream repository (commit fa479daf) but has not yet been included in an npm release.
    </Mitigation>
    <AffectedRelease cpe="cpe:/a:redhat:quay:3.10::el8">
        <ProductName>Red Hat Quay 3.10</ProductName>
        <ReleaseDate>2026-07-16T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:41031">RHSA-2026:41031</Advisory>
        <Package name="quay/quay-rhel8">quay/quay-rhel8:1783750447</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:quay:3.16::el9">
        <ProductName>Red Hat Quay 3.16</ProductName>
        <ReleaseDate>2026-07-16T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:41066">RHSA-2026:41066</Advisory>
        <Package name="quay/quay-rhel9">quay/quay-rhel9:1783955846</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:quay:3.9::el8">
        <ProductName>Red Hat Quay 3.9</ProductName>
        <ReleaseDate>2026-07-15T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:40262">RHSA-2026:40262</Advisory>
        <Package name="quay/quay-rhel8">quay/quay-rhel8:1784125838</Package>
    </AffectedRelease>
    <PackageState cpe="cpe:/a:redhat:rhmt:1">
        <ProductName>Migration Toolkit for Containers</ProductName>
        <FixState>Affected</FixState>
        <PackageName>rhmtc/openshift-migration-ui-rhel8</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_pipelines:1">
        <ProductName>OpenShift Pipelines</ProductName>
        <FixState>Affected</FixState>
        <PackageName>openshift-pipelines/pipelines-console-plugin-pf5-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_pipelines:1">
        <ProductName>OpenShift Pipelines</ProductName>
        <FixState>Affected</FixState>
        <PackageName>openshift-pipelines/pipelines-console-plugin-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:red_hat_3scale_amp:2">
        <ProductName>Red Hat 3scale API Management Platform 2</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>3scale-amp21/system</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:red_hat_3scale_amp:2">
        <ProductName>Red Hat 3scale API Management Platform 2</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>3scale-amp22/system</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:red_hat_3scale_amp:2">
        <ProductName>Red Hat 3scale API Management Platform 2</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>3scale-amp2/system-rhel7</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:red_hat_3scale_amp:2">
        <ProductName>Red Hat 3scale API Management Platform 2</ProductName>
        <FixState>Affected</FixState>
        <PackageName>3scale-amp2/system-rhel8</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:red_hat_3scale_amp:2">
        <ProductName>Red Hat 3scale API Management Platform 2</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>3scale-amp2/system-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:camel_spring_boot:4">
        <ProductName>Red Hat build of Apache Camel for Spring Boot 4</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>decode-uri-component</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>grafana</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>pcs</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>gjs</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>pcs</PackageName>
    </PackageState>
    <PackageState impact="important" cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <FixState>Affected</FixState>
        <PackageName>dotnet8.0</PackageName>
    </PackageState>
    <PackageState impact="important" cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>yarnpkg</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jboss_enterprise_application_platform:7">
        <ProductName>Red Hat JBoss Enterprise Application Platform 7</ProductName>
        <FixState>Affected</FixState>
        <PackageName>decode-uri-component</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jbosseapxp">
        <ProductName>Red Hat JBoss Enterprise Application Platform Expansion Pack</ProductName>
        <FixState>Affected</FixState>
        <PackageName>decode-uri-component</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>rhoai/odh-mlflow-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift:4">
        <ProductName>Red Hat OpenShift Container Platform 4</ProductName>
        <FixState>Affected</FixState>
        <PackageName>openshift4/ose-console</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift:4">
        <ProductName>Red Hat OpenShift Container Platform 4</ProductName>
        <FixState>Affected</FixState>
        <PackageName>openshift4/ose-console-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_distributed_tracing:3">
        <ProductName>Red Hat OpenShift distributed tracing 3</ProductName>
        <FixState>Affected</FixState>
        <PackageName>rhosdt/tempo-jaeger-query-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:satellite:6">
        <ProductName>Red Hat Satellite 6</ProductName>
        <FixState>Affected</FixState>
        <PackageName>satellite/iop-vulnerability-frontend-rhel9</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-45822
https://nvd.nist.gov/vuln/detail/CVE-2026-45822
https://github.com/SamVerschueren/decode-uri-component/blob/00662938dc7c6241547ae8abce7785cc13ffd3f6/index.js
https://github.com/SamVerschueren/decode-uri-component/commit/fa479dafeede7bedf04e5c89aa78f2a78c664005
https://www.npmjs.com/package/decode-uri-component
    </References>
</Vulnerability>