Skip to content

Regular Expression Denial of Service in braces

low severity Published Jun 6, 2019 • Updated Aug 4, 2021

Package

npm braces (npm)

Affected versions

< 2.3.1

Patched versions

2.3.1

Description

Versions of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Recommendation

Upgrade to version 2.3.1 or higher.

References

GHSA ID

GHSA-g95f-p29q-9xw4

CVSS Score

3.7 Low
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L