CVE-2025-5889Uncontrolled Resource Consumption in Node-brace-expansion

CWE-400Uncontrolled Resource ConsumptionCWE-1333Regex Denial of Service8 documents7 sources
Severity
2.3LOWNVD
EPSS
0.1%
top 74.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Debian Node-brace-expansionJuliangruber Brace-expansionMsrc Azl3 Python-tensorboard 2.16.2-6 ON Azure Linux 3.0+4 more
Timeline
PublishedJun 9
Latest updateOct 15

Description

A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 i

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Packages8 packages

npmjuliangruber/brace-expansion2.0.02.0.2+3
CVEListV5juliangruber/brace-expansion16 versions+15
debiandebian/node-brace-expansion< node-brace-expansion 2.0.1+~1.1.0-2 (forky)

🔴Vulnerability Details

3
OSV
CVE-2025-5889: A vulnerability was found in juliangruber brace-expansion up to 12025-06-09
GHSA
brace-expansion Regular Expression Denial of Service vulnerability2025-06-09
OSV
brace-expansion Regular Expression Denial of Service vulnerability2025-06-09

📋Vendor Advisories

4
Oracle
Oracle Oracle Communications Applications Risk Matrix: Microservices (brace-expansion) — CVE-2025-58892025-10-15
Microsoft
juliangruber brace-expansion index.js expand redos2025-06-10
Red Hat
brace-expansion: juliangruber brace-expansion index.js expand redos2025-06-09
Debian
CVE-2025-5889: node-brace-expansion - A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0...2025