A blog post by Russ Cox, titled "Glob Matching Can Be Simple And Fast Too" highlighted the issue. https://research.swtch.com/glob Patches landed in Perl repo to address the issue https://perl5.git.perl.org/perl.git/commit/33252c318625f3c6c89b816ee88481940e3e6f95 I don't believe a CVE has been assigned yet but the range of affected software may be quite wide, not sure how that fits in with vuxml.
I doubt very much the range of software using regexps in the form of a*a*a*a*a*b is very wide :-)
As a side note, it may seems like this is stalling, but the commit in question has only landed in the blead (devel) version of Perl around 2017-05-31, and not even in 5.26.0. So, I'm going to wait for something to happen upstream before I commit to any releases.
The Perl maintainers do not feel this is a real problem. They have not added the fix in 5.26.0, and since then, 5.24.2 and 5.22.4 have been released, and they have not added it their either.