The affected code is located in matching.coffee-line321. It uses the vulnerable regular expression ^(.+?)\1+$. When the match fails, it will cause catastrophic backtracking.
I trigger the vulnerability using the javascript script below

const zxcvbn = require("zxcvbn");
attackStr = '\x00\x00' + ('\x00'.repeat(54773)) + '\n'
zxcvbn(attackStr)

I know this is usually used client side,but when run server side there has possible DOS. It is my pleasure to provide a patch to repair the ReDoS vulnerability.