NodeJS/brace-expansion/1.1.5
Brace expansion as known from sh/bash
https://www.npmjs.com/package/brace-expansion
MIT
2 Security Vulnerabilities
ReDoS in brace-expansion
Published date: 2018-01-29T15:50:46Z
CVE: CVE-2017-18077
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2017-18077
- https://github.com/advisories/GHSA-832h-xg76-4gv6
- https://github.com/juliangruber/brace-expansion/issues/33
- https://github.com/juliangruber/brace-expansion/pull/35
- https://github.com/juliangruber/brace-expansion/pull/35/commits/b13381281cead487cbdbfd6a69fb097ea5e456c3
- https://www.npmjs.com/advisories/338
- https://bugs.debian.org/862712
- https://nodesecurity.io/advisories/338
Affected versions of brace-expansion
are vulnerable to a regular expression denial of service condition.
Proof of Concept
var expand = require('brace-expansion');
expand('{,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n}');
Recommendation
Update to version 1.1.7 or later.
Affected versions:
["0.0.0", "1.0.0", "1.0.1", "1.1.0", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.1.5", "1.1.6"]
Secure versions:
[1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.1.11, 2.0.0, 2.0.1, 3.0.0, 4.0.0]
Recommendation:
Update to version 4.0.0.
ReDoS
Published date: 2017-04-25
CVSS Score: 6.2
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Coordinating vendor: ^Lift Security
Links:
brace-expansion is a module to support bash-like brace expansion in JavaScript. For example,{1,2,3,4}
would expand to 1 2 3 4
.
brace expansion versions before 1.1.7 are vulnerable to Regular Expression Denial of Service attacks. A proof of concept is provided below:
var expand = require('brace-expansion');
expand('{,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n}');
Affected versions:
["0.0.0", "1.0.0", "1.0.1", "1.1.0", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.1.5", "1.1.6"]
Secure versions:
[1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.1.11, 2.0.0, 2.0.1, 3.0.0, 4.0.0]
Recommendation:
Upgrade to version 1.1.7 or later.
19 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
0.0.0 | MIT | 2 | 2013-10-13 - 12:58 | over 10 years |
1.0.0 | MIT | 2 | 2014-11-30 - 09:58 | over 9 years |
1.0.1 | MIT | 2 | 2014-12-03 - 07:58 | over 9 years |
1.1.0 | MIT | 2 | 2014-12-16 - 18:58 | over 9 years |
1.1.1 | MIT | 2 | 2015-09-27 - 21:58 | over 8 years |
1.1.2 | MIT | 2 | 2015-11-28 - 12:58 | over 8 years |
1.1.3 | MIT | 2 | 2016-02-11 - 18:51 | about 8 years |
1.1.4 | MIT | 2 | 2016-05-01 - 19:14 | about 8 years |
1.1.5 | MIT | 2 | 2016-06-15 - 11:21 | almost 8 years |
1.1.6 | MIT | 2 | 2016-07-20 - 20:48 | almost 8 years |
1.1.7 | MIT | 2017-04-07 - 08:13 | about 7 years | |
1.1.8 | MIT | 2017-06-12 - 07:19 | almost 7 years | |
1.1.9 | MIT | 2018-02-09 - 09:53 | about 6 years | |
1.1.10 | MIT | 2018-02-09 - 21:13 | about 6 years | |
1.1.11 | MIT | 2018-02-10 - 07:42 | about 6 years | |
2.0.0 | MIT | 2020-10-05 - 11:41 | over 3 years | |
2.0.1 | MIT | 2021-02-22 - 16:18 | about 3 years | |
3.0.0 | MIT | 2023-10-07 - 13:31 | 7 months | |
4.0.0 | MIT | 2024-02-27 - 11:56 | 2 months |