brace-expansion is vulnerable to Denial of Service (DoS)
53
Medium Risk
brace-expansion expands shell-style brace patterns through a recursive expand_ function that computes the post segment unconditionally before the early-return branches that discard it. An input containing many consecutive non-expanding {} groups forces each recursion level to expand the remaining tail twice, producing exponential-time behavior in the number of groups. A short pattern of roughly ninety bytes blocks the single-threaded event loop for minutes, the max option does not bound this work, and untrusted input reaching expand() directly or through minimatch/glob can stall a worker or process. The fix defers computing post until a brace set actually expands and converts the rewrite step from recursion into an in-function loop.
You are affected if you are using a version that falls within the vulnerable range and your application passes untrusted input to expand() directly or through brace patterns in minimatch/glob.
brace-expansion is vulnerable to Denial of Service (DoS) in versions 1.0.0 - 1.1.15, 2.0.0 - 2.1.1 and 3.0.0 - 5.0.6.
Upgrade the brace-expansion library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant