Your message dated Wed, 24 Jun 2026 09:04:56 +0000
with message-id <[email protected]>
and subject line Bug#1138576: fixed in node-brace-expansion 2.0.3+~1.1.2-3
has caused the Debian Bug report #1138576,
regarding node-brace-expansion: CVE-2026-45149
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138576: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138576
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-brace-expansion
Version: 2.0.3+~1.1.2-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-brace-expansion.
CVE-2026-45149[0]:
| The brace-expansion library generates arbitrary strings containing a
| common prefix and suffix. From 5.0.0 to before 5.0.6, the max option
| was being applied too late. When expanding a single large numeric
| range like {1..10000000}, the sequence generation loop generates all
| 10 million intermediate elements before the max limit is applied
| With max=10, the output is correctly limited to 10 items, but the
| process still allocates ~505 MB and spends ~800ms building the full
| intermediate array. This vulnerability is fixed in 5.0.6.
Need your help here, the advisory claims the issue affects 5.0.0
before 5.0.6, but the issue is present before? Maybe at least back to
v3.0.0? Can you please evaluate that properly for the versions
released in Debian and report back where the issue is introduced?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-45149
https://www.cve.org/CVERecord?id=CVE-2026-45149
[1]
https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-jxxr-4gwj-5jf2
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-brace-expansion
Source-Version: 2.0.3+~1.1.2-3
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-brace-expansion, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-brace-expansion
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 24 Jun 2026 10:39:03 +0200
Source: node-brace-expansion
Architecture: source
Version: 2.0.3+~1.1.2-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1138576
Changes:
node-brace-expansion (2.0.3+~1.1.2-3) unstable; urgency=medium
.
* Team upload
* Fix bad CVE id in previous upload
* Fix sequence DoS (Closes: #1138576, CVE-2026-45149)
Checksums-Sha1:
24c4a01c72a8cd782381938731531d0f3758e92f 2578
node-brace-expansion_2.0.3+~1.1.2-3.dsc
811b994213be9324c1a2d8f63306de9655885397 5284
node-brace-expansion_2.0.3+~1.1.2-3.debian.tar.xz
Checksums-Sha256:
e7ecd929fc2e092581ed2d44244188aad8805062be974e085db5f8d39038f81f 2578
node-brace-expansion_2.0.3+~1.1.2-3.dsc
44b0b3ae8f2b4ae28ed86ed44ff095bb172c8077d6f00addc70cf2ce49e8b032 5284
node-brace-expansion_2.0.3+~1.1.2-3.debian.tar.xz
Files:
df90c8357fc7eaef4852b95162bab879 2578 javascript optional
node-brace-expansion_2.0.3+~1.1.2-3.dsc
5465e995dab7b11cb5ec4dec444a8e5f 5284 javascript optional
node-brace-expansion_2.0.3+~1.1.2-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmo7mBoACgkQ9tdMp8mZ
7umISRAAjWtCkWCAwVm8yzTs56EKN86y96qEuiLE8ShRYYbPAF1IA7yum15CAKfC
TB76FAvI4/kZieKWQb4NxxSeLunIVljZK/odG1mPaQiEQKnP4n3zHczyRwcaieJr
8JYVJG397wGIVguqwDKG54wSiampaqe4hHnzQNiUDdfbuK6eghSUQUaNo0fjPGPx
z2b4pLSvukCq9K8YN35gf8MO4L//764fhAEITxxyU/1w2zQEU/usnpJbm+ZyipDn
9j0biD13O6Qazz4iKf/0tkgM1YGZDBAUwwX+aVpwnXMpbDNegLm6wLTN/f+QzIq8
ChfGy69QSxm0TfXTC774eOH9kfZmyqKySITNO37BPUcLDZULCXQBoRM4xLdZQX2O
Oo5gs/R9Z45snjp3PUkOaXFJ0sS7u6xNWlcw5Hylw/rsQvNMUq4TRk6smT4KBj4P
rdoatoww5T0MNkHQk4W10CxOwmm9GsXiMsd0l/HbuXdzRFovNPl/rLwt7hou3/k3
8dL2xrA9OdTUBIkK4t6ABf57aN3f0LpaZTYE4gobTbrt/3UG4dloHveVHIsE4pJ7
ONS37+mC3sqSKzKxj4m4hHQ1xd6muChpknHpi2rXlU5uFPRGZyl2DsNyYOyPnddn
kOm+JYefN9D6cXCInd+mxNxzjgvOcqHYOx2d714a8/+4ZbFptt8=
=d/tP
-----END PGP SIGNATURE-----
pgphpY_9dTqbD.pgp
Description: PGP signature
--- End Message ---
