[core] Potential ReDoS Vulnerability or Inefficient Regular Expression in Project: Need for Assessment and Mitigation#65
Merged
juliangruber merged 3 commits intojuliangruber:mainfrom Jun 11, 2025
Conversation
|
Can this PR be reviewed and merged considering this: GHSA-v6h2-p8h4-qcjw |
|
Hi @juliangruber, please accept the PR :D |
telix5000
approved these changes
Jun 11, 2025
|
@isaacs I think you have admin write permissions to this repo as well? |
harrytran998
approved these changes
Jun 11, 2025
|
Could this be backported to v2 and v3 releases? |
|
please also v1 because it's trasitively used by |
This comment was marked as abuse.
This comment was marked as abuse.
Owner
|
@someonestolemyusername pull requests improving the test welcome |
|
Danke @juliangruber! |
1 task
|
Now the advisory needs to be updated, tried it, but it seems i did a mistake 😕 |
|
Thanks for backporting the fix @juliangruber! I noticed it's been released on GitHub, but not published to npm yet. Is that something you're working on still? |
|
@breadadams it has been released to npm as well |
bmwiedemann
pushed a commit
to bmwiedemann/openSUSE
that referenced
this pull request
Jun 11, 2025
https://build.opensuse.org/request/show/1284756 by user dgarcia + anag_factory - refresh node modules * update brace-expansion to 1.1.12 and 2.0.2 CVE-2025-5889, gh#juliangruber/brace-expansion#65, bsc#1244343
2 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
12 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Steps to reproduce
Hello,
I am writing to report a potential Regular Expression Denial of Service (ReDoS) vulnerability or Inefficient Regular Expression in the project. When using specially crafted input strings in the context, it may lead to extremely high CPU usage, application freezing, or denial of service attacks.
Location of Issue:
The vulnerability is related to a regular expression used in the following validation file, which may result in significantly prolonged execution times under certain conditions.
brace-expansion/index.js
Line 157 in 6a39bdd
PoC Files and Comparisons:
gist:https://gist.github.com/mmmsssttt404/37a40ce7d6e5ca604858fe30814d9466
use time:
Proposed Solution:
Change the regular expression to
change:
https://github.com/mmmsssttt404/brace-expansion/blob/a5b98a4f30d7813266b221435e1eaaf25a1b0ac5/index.js#L157
Thank you for your attention to this matter. Your evaluation and response to this potential security concern would be greatly appreciated.
Best regards,
Search keywords: ReDoS