Source: node-brace-expansion
Version: 2.0.3+~1.1.2-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for node-brace-expansion.

CVE-2026-13149[0]:
| brace-expansion through 5.0.6 is vulnerable to denial of service.
| The expand() function exhibits exponential-time complexity in the
| number of consecutive non-expanding '{}' brace groups. An attacker
| who passes a crafted string to expand(), directly or transitively,
| can cause significant CPU consumption and event-loop blocking. The
| max option does not mitigate this, as it bounds the output size
| rather than the recursion work.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-13149
    https://www.cve.org/CVERecord?id=CVE-2026-13149
[1] 
https://github.com/juliangruber/brace-expansion/commit/c7e33ec13ac1a684c116720843ce24e208611754

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

-- 
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Reply via email to