brace-expansion Regular Expression Denial of Service vulnerability #24

New issue

Closed

opened 2025-06-11 02:58:40 +00:00 by martinr92 · 0 comments

martinr92 commented 2025-06-11 02:58:40 +00:00 (Migrated from gitlab.com)

Copy link

⚠️ dependabot-gitlab has detected security vulnerability for brace-expansion in path: /, manifest_file: /package.json but was unable to update it! ⚠️

• https://github.com/advisories/GHSA-v6h2-p8h4-qcjw

Package	Severity	Affected versions	Patched versions	IDs
brace-expansion (NPM)	LOW	>= 2.0.1, <= 4.0.0		GHSA-v6h2-p8h4-qcjw,CVE-2025-5889

Description

A vulnerability was found in juliangruber brace-expansion up to 1.1.11. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to apply a patch to fix this issue.

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-5889
• https://github.com/juliangruber/brace-expansion/pull/65/commits/a5b98a4f30d7813266b221435e1eaaf25a1b0ac5
• https://gist.github.com/mmmsssttt404/37a40ce7d6e5ca604858fe30814d9466
• https://vuldb.com/?ctiid.311660
• https://vuldb.com/?id.311660
• https://vuldb.com/?submit.585717
• https://github.com/advisories/GHSA-v6h2-p8h4-qcjw

⚠️ `dependabot-gitlab` has detected security vulnerability for `brace-expansion` in path: `/`, manifest_file: `/package.json` but was unable to update it! ⚠️ * https://github.com/advisories/GHSA-v6h2-p8h4-qcjw | Package | Severity | Affected versions | Patched versions | IDs | |-----------------------|----------|--------------------|------------------|---------------------------------------| | brace-expansion (NPM) | LOW | >= 2.0.1, <= 4.0.0 | | `GHSA-v6h2-p8h4-qcjw`,`CVE-2025-5889` | # Description A vulnerability was found in juliangruber brace-expansion up to 1.1.11. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to apply a patch to fix this issue. # References * https://nvd.nist.gov/vuln/detail/CVE-2025-5889 * https://github.com/juliangruber/brace-expansion/pull/65/commits/a5b98a4f30d7813266b221435e1eaaf25a1b0ac5 * https://gist.github.com/mmmsssttt404/37a40ce7d6e5ca604858fe30814d9466 * https://vuldb.com/?ctiid.311660 * https://vuldb.com/?id.311660 * https://vuldb.com/?submit.585717 * https://github.com/advisories/GHSA-v6h2-p8h4-qcjw

martinr92 closed this issue 2025-10-02 21:49:41 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

renovate/https-github.com-sonarsource-sonarqube-scan-action-8.x

renovate/vue-tsc-3.x-lockfile

renovate/eslint-plugin-vue-10.x-lockfile

renovate/github.com-jackc-pgx-v5-5.x

renovate/vue-router-5.x-lockfile

renovate/lucide-vue-1.x-lockfile

renovate/vue-3.x-lockfile

renovate/vite-8.x-lockfile

renovate/eslint-10.x-lockfile

develop

feature/plugins

beta

dependabot-npm_and_yarn-develop-eslint-9.33.0

v1.0.7

v1.0.7-beta.1

v1.0.6

v1.0.6-beta.2

v1.0.6-beta.1

v1.0.5

v1.0.5-beta.1

v1.0.4

v1.0.4-beta.1

v1.0.3

v1.0.3-beta.1

v1.0.2

v1.0.2-beta.1

v1.0.1

v1.0.1-beta.1

v1.0.0

v1.0.0-beta.1

v0.10.1

v0.10.1-beta.1

v0.10.0

v0.10.0-beta.4

v0.10.0-beta.3

v0.10.0-beta.2

v0.10.0-beta.1

v0.9.2

v0.9.2-beta.1

v0.9.1

v0.9.1-beta.1

v0.9.0

v0.9.0-beta.1

v0.8.0

v0.8.0-beta.1

v0.7.0

v0.7.0-beta.1

v0.6.0

v0.6.0-beta.1

v0.5.7

v0.5.7-beta.2

v0.5.7-beta.1

v0.5.6

v0.5.6-beta.1

v0.5.5

v0.5.5-beta.1

v0.5.4

v0.5.4-beta.1

v0.5.3

v0.5.3-beta.1

v0.5.2

v0.5.2-beta.1

v0.5.1

v0.5.1-beta.1

v0.5.0

v0.5.0-beta.1

v0.4.6

v0.4.6-beta.1

v0.4.5

v0.4.5-beta.1

v0.4.4

v0.4.4-beta.1

v0.4.3

v0.4.3-beta.1

v0.4.2

v0.4.2-beta.1

v0.4.1

v0.4.1-beta.1

v0.4.0

v0.4.0-beta.1

v0.3.0

v0.3.0-beta.2

v0.3.0-beta.1

v0.2.0

v0.2.0-beta.2

v0.2.0-beta.1

v0.1.1

v0.1.1-beta5

v0.1.1-beta4

v0.1.1-beta3

v0.1.1-beta2

v0.1.1-beta1

v0.1.0

v0.1.0-beta1

Labels

Clear labels   

bug

  

confirmed

  

critical

  

dependencies

Pull requests that update a dependency file

  

discussion

  

docker

  

documentation

  

enhancement

  

go

  

javascript

  

security

Pull requests that address a security vulnerability

  

severity:high

  

severity:low

  

severity:moderate

  

suggestion

  

support

No labels

bug

confirmed

critical

dependencies

discussion

docker

documentation

enhancement

go

javascript

security

severity:high

severity:low

severity:moderate

suggestion

support

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

marty-media/server#24

No description provided.