NodeJS/brace-expansion/1.1.4


Brace expansion as known from sh/bash

https://www.npmjs.com/package/brace-expansion
MIT

2 Security Vulnerabilities

ReDoS in brace-expansion

Published date: 2018-01-29T15:50:46Z
CVE: CVE-2017-18077
Links:

Affected versions of brace-expansion are vulnerable to a regular expression denial of service condition.

Proof of Concept

var expand = require('brace-expansion');
expand('{,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n}');

Recommendation

Update to version 1.1.7 or later.

Affected versions: ["0.0.0", "1.0.0", "1.0.1", "1.1.0", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.1.5", "1.1.6"]
Secure versions: [1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.1.11, 2.0.0, 2.0.1, 3.0.0, 4.0.0]
Recommendation: Update to version 4.0.0.

ReDoS

Published date: 2017-04-25
CVSS Score: 6.2
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Coordinating vendor: ^Lift Security
Links:

brace-expansion is a module to support bash-like brace expansion in JavaScript. For example,{1,2,3,4} would expand to 1 2 3 4. brace expansion versions before 1.1.7 are vulnerable to Regular Expression Denial of Service attacks. A proof of concept is provided below:

var expand = require('brace-expansion');
expand('{,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n}');

Affected versions: ["0.0.0", "1.0.0", "1.0.1", "1.1.0", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.1.5", "1.1.6"]
Secure versions: [1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.1.11, 2.0.0, 2.0.1, 3.0.0, 4.0.0]
Recommendation: Upgrade to version 1.1.7 or later.

19 Other Versions

Version License Security Released
4.0.0 MIT 2024-02-27 - 11:56 about 1 month
3.0.0 MIT 2023-10-07 - 13:31 6 months
2.0.1 MIT 2021-02-22 - 16:18 about 3 years
2.0.0 MIT 2020-10-05 - 11:41 over 3 years
1.1.11 MIT 2018-02-10 - 07:42 about 6 years
1.1.10 MIT 2018-02-09 - 21:13 about 6 years
1.1.9 MIT 2018-02-09 - 09:53 about 6 years
1.1.8 MIT 2017-06-12 - 07:19 almost 7 years
1.1.7 MIT 2017-04-07 - 08:13 almost 7 years
1.1.6 MIT 2 2016-07-20 - 20:48 over 7 years
1.1.5 MIT 2 2016-06-15 - 11:21 almost 8 years
1.1.4 MIT 2 2016-05-01 - 19:14 almost 8 years
1.1.3 MIT 2 2016-02-11 - 18:51 about 8 years
1.1.2 MIT 2 2015-11-28 - 12:58 over 8 years
1.1.1 MIT 2 2015-09-27 - 21:58 over 8 years
1.1.0 MIT 2 2014-12-16 - 18:58 over 9 years
1.0.1 MIT 2 2014-12-03 - 07:58 over 9 years
1.0.0 MIT 2 2014-11-30 - 09:58 over 9 years
0.0.0 MIT 2 2013-10-13 - 12:58 over 10 years