Source: node-brace-expansion Version: 2.0.1+~1.1.0-1 Severity: important Tags: security upstream Forwarded: https://github.com/juliangruber/brace-expansion/pull/65 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for node-brace-expansion. CVE-2025-5889[0]: | A vulnerability was found in juliangruber brace-expansion up to | 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected | by this issue is the function expand of the file index.js. The | manipulation leads to inefficient regular expression complexity. The | attack may be launched remotely. The complexity of an attack is | rather high. The exploitation is known to be difficult. The exploit | has been disclosed to the public and may be used. Upgrading to | version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this | issue. The name of the patch is | a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to | upgrade the affected component. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-5889 https://www.cve.org/CVERecord?id=CVE-2025-5889 [1] https://github.com/juliangruber/brace-expansion/pull/65 [2] https://github.com/juliangruber/brace-expansion/commit/0b6a9781e18e9d2769bb2931f4856d1360243ed2 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
