Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWc5NWYtcDI5cS05eHc0
Regular Expression Denial of Service in braces
Versions of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.
Recommendation
Upgrade to version 2.3.1 or higher.
Permalink: https://github.com/advisories/GHSA-g95f-p29q-9xw4JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWc5NWYtcDI5cS05eHc0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: almost 5 years ago
Updated: over 1 year ago
CVSS Score: 3.7
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Identifiers: GHSA-g95f-p29q-9xw4
References:
- https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451
- https://www.npmjs.com/advisories/786
- https://snyk.io/vuln/npm:braces:20180219
- https://github.com/advisories/GHSA-g95f-p29q-9xw4
Blast Radius: 22.5
Affected Packages
npm:braces
Dependent packages: 2,619Dependent repositories: 1,237,028
Downloads: 267,762,161 last month
Affected Version Ranges: < 2.3.1
Fixed in: 2.3.1
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.4, 0.1.5, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.5.1, 1.6.0, 1.7.0, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0
All unaffected versions: 2.3.1, 2.3.2, 3.0.0, 3.0.1, 3.0.2