CVE-2020-36661: 
NixOS vulnerability analysis and mitigation

A vulnerability was identified in Kong lua-multipart version 0.5.8-1, affecting the is_header function within src/multipart.lua. The issue was classified as problematic due to inefficient regular expression complexity that could lead to performance issues (CVE Mitre).

The vulnerability stems from an inefficient pattern matching implementation in the is_header function. The original pattern '(%S+):%s*(%S+)' could take indeterminate time on long input strings, potentially leading to excessive processing time. For example, processing a text of 200,000 characters could take up to 150 seconds (GitHub PR).

When exploited, this vulnerability could cause significant performance degradation in systems using the affected component, potentially leading to denial of service conditions due to the inefficient processing of certain input patterns.

The issue has been resolved in version 0.5.9-1 by replacing the problematic pattern with a more efficient one ('%S:%s*%S') that matches the same set of strings but executes in linear time. The fix is identified by commit d632e5df43a2928fd537784a99a79dec288bf01b. Users are recommended to upgrade to version 0.5.9-1 or later (GitHub Release).