CVE-2018-1109 — Incorrect Regular Expression in Project Braces

CWE-185 — Incorrect Regular Expression CWE-400 — Uncontrolled Resource Consumption CWE-1333 — Regex Denial of Service8 documents6 sources

Severity

5.3MEDIUMNVD

EPSS

0.4%

top 42.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Braces Project Braces Debian Node-braces

Timeline

PublishedMar 30

Latest updateJan 6

Description

A vulnerability was found in Braces versions 2.2.0 and above, prior to 2.3.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶NVDbraces_project/braces< 2.3.1

▶npmbraces_project/braces2.2.0 — 2.3.1

▶debiandebian/node-braces

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

Regular Expression Denial of Service (ReDoS) in braces↗2022-01-06

▶

OSV

Regular Expression Denial of Service (ReDoS) in braces↗2022-01-06

▶

OSV

CVE-2018-1109: A vulnerability was found in Braces versions prior to 2↗2021-03-30

▶

📋Vendor Advisories

Red Hat

nodejs-braces: Regular Expression Denial of Service (ReDoS) in lib/parsers.js↗2018-02-19

▶

Debian

CVE-2018-1109: node-braces - A vulnerability was found in Braces versions 2.2.0 and above, prior to 2.3.1. Af...↗2018

▶

💬Community

Bugzilla

CVE-2018-1109 nodejs-braces: braces: Regular Expression Denial of Service (ReDoS) in lib/parsers.js [fedora-28]↗2018-06-29

▶

Bugzilla

CVE-2018-1109 nodejs-braces: Regular Expression Denial of Service (ReDoS) in lib/parsers.js↗2018-02-20

▶