Skip to content

ReDoS in brace-expansion

High severity GitHub Reviewed Published Jan 29, 2018 • Updated Sep 3, 2021

Package

npm brace-expansion (npm)

Affected versions

< 1.1.7

Patched versions

1.1.7

Description

Affected versions of brace-expansion are vulnerable to a regular expression denial of service condition.

Proof of Concept

var expand = require('brace-expansion');
expand('{,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n}');

Recommendation

Update to version 1.1.7 or later.

References

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weaknesses

CVE ID

CVE-2017-18077

GHSA ID

GHSA-832h-xg76-4gv6
Checking history
See something to contribute? Suggest improvements for this vulnerability.