Vulnerability in brace-expansion Function of Juliangruber's Library
CVE-2025-5889
Key Information:
- Vendor
Juliangruber
- Status
- Vendor
- CVE Published:
- 9 June 2025
Badges
What is CVE-2025-5889?
A vulnerability exists in the 'expand' function of the brace-expansion library by Juliangruber (versions up to 1.1.11), leading to inefficient regular expression complexity. This issue allows for potential remote attacks that exploit the weaknesses in handling specific input, resulting in performance degradation and making the application susceptible to denial of service. Although the complexity of exploitation is considered high, it remains a serious concern given that the vulnerability has been publicly disclosed. Users are strongly advised to implement the available patch (commit a5b98a4f30d7813266b221435e1eaaf25a1b0ac5) to mitigate this issue effectively.
Affected Version(s)
brace-expansion 1.1.0
brace-expansion 1.1.1
brace-expansion 1.1.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved