Source: node-brace-expansion
Version: 2.0.3+~1.1.2-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-brace-expansion.
CVE-2026-13149[0]:
| brace-expansion through 5.0.6 is vulnerable to denial of service.
| The expand() function exhibits exponential-time complexity in the
| number of consecutive non-expanding '{}' brace groups. An attacker
| who passes a crafted string to expand(), directly or transitively,
| can cause significant CPU consumption and event-loop blocking. The
| max option does not mitigate this, as it bounds the output size
| rather than the recursion work.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-13149
https://www.cve.org/CVERecord?id=CVE-2026-13149
[1]
https://github.com/juliangruber/brace-expansion/commit/c7e33ec13ac1a684c116720843ce24e208611754
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel