Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:deb/debian/node-brace-expansion@2.0.3%2B~1.1.2-1?distro=trixie
Typedeb
Namespacedebian
Namenode-brace-expansion
Version2.0.3+~1.1.2-1
Qualifiers
distro trixie
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.0.3+~1.1.2-2
Latest_non_vulnerable_version2.0.3+~1.1.2-2
Affected_by_vulnerabilities
0
url VCID-q4u6-6pbw-5bcq
vulnerability_id VCID-q4u6-6pbw-5bcq
summary 
@isaacs/brace-expansion has Uncontrolled Resource Consumption
### Summary

`@isaacs/brace-expansion` is vulnerable to a Denial of Service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process.

### Details

The vulnerability occurs because `@isaacs/brace-expansion` expands brace expressions without any upper bound or complexity limit. Expansion is performed eagerly and synchronously, meaning the full result set is generated before returning control to the caller.

For example, the following input:

```
{0..99}{0..99}{0..99}{0..99}{0..99}
```

produces:

```
100^5 = 10,000,000,000 combinations
```

This exponential growth can quickly overwhelm the event loop and heap memory, resulting in process termination.

### Proof of Concept

The following script reliably triggers the issue.

Create `poc.js`:

```js
const { expand } = require('@isaacs/brace-expansion');

const pattern = '{0..99}{0..99}{0..99}{0..99}{0..99}';

console.log('Starting expansion...');
expand(pattern);
```

Run it:

```bash
node poc.js
```

The process will freeze and typically crash with an error such as:

```
FATAL ERROR: JavaScript heap out of memory
```

### Impact

This is a denial of service vulnerability. Any application or downstream dependency that uses `@isaacs/brace-expansion` on untrusted input may be vulnerable to a single-request crash.

An attacker does not require authentication and can use a very small payload to:

* Trigger exponential computation
* Exhaust memory and CPU resources
* Block the event loop
* Crash Node.js services relying on this library
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25547.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25547.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25547
reference_id
reference_type
scores
0
value 0.00019
scoring_system epss
scoring_elements 0.05161
published_at 2026-04-11T12:55:00Z
1
value 0.00019
scoring_system epss
scoring_elements 0.05088
published_at 2026-04-02T12:55:00Z
2
value 0.00019
scoring_system epss
scoring_elements 0.05144
published_at 2026-04-12T12:55:00Z
3
value 0.00019
scoring_system epss
scoring_elements 0.05118
published_at 2026-04-04T12:55:00Z
4
value 0.00019
scoring_system epss
scoring_elements 0.05139
published_at 2026-04-07T12:55:00Z
5
value 0.00019
scoring_system epss
scoring_elements 0.05173
published_at 2026-04-08T12:55:00Z
6
value 0.00019
scoring_system epss
scoring_elements 0.0519
published_at 2026-04-09T12:55:00Z
7
value 0.0002
scoring_system epss
scoring_elements 0.05532
published_at 2026-04-21T12:55:00Z
8
value 0.0002
scoring_system epss
scoring_elements 0.05412
published_at 2026-04-13T12:55:00Z
9
value 0.0002
scoring_system epss
scoring_elements 0.05369
published_at 2026-04-18T12:55:00Z
10
value 0.0002
scoring_system epss
scoring_elements 0.05366
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25547
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25547
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25547
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/isaacs/brace-expansion
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/isaacs/brace-expansion
5
reference_url https://github.com/isaacs/brace-expansion/security/advisories/GHSA-7h2j-956f-4vf2
reference_id
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value 9.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:24:50Z/
url https://github.com/isaacs/brace-expansion/security/advisories/GHSA-7h2j-956f-4vf2
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25547
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25547
7
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127313
reference_id 1127313
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127313
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2436942
reference_id 2436942
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2436942
9
reference_url https://github.com/advisories/GHSA-7h2j-956f-4vf2
reference_id GHSA-7h2j-956f-4vf2
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7h2j-956f-4vf2
10
reference_url https://access.redhat.com/errata/RHSA-2026:7080
reference_id RHSA-2026:7080
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7080
11
reference_url https://access.redhat.com/errata/RHSA-2026:7123
reference_id RHSA-2026:7123
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7123
12
reference_url https://access.redhat.com/errata/RHSA-2026:7302
reference_id RHSA-2026:7302
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7302
13
reference_url https://access.redhat.com/errata/RHSA-2026:7310
reference_id RHSA-2026:7310
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7310
14
reference_url https://access.redhat.com/errata/RHSA-2026:7350
reference_id RHSA-2026:7350
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7350
15
reference_url https://access.redhat.com/errata/RHSA-2026:7675
reference_id RHSA-2026:7675
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7675
16
reference_url https://access.redhat.com/errata/RHSA-2026:7983
reference_id RHSA-2026:7983
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7983
fixed_packages
0
url pkg:deb/debian/node-brace-expansion@2.0.3%2B~1.1.2-2?distro=trixie
purl pkg:deb/debian/node-brace-expansion@2.0.3%2B~1.1.2-2?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-brace-expansion@2.0.3%252B~1.1.2-2%3Fdistro=trixie
aliases CVE-2026-25547, GHSA-7h2j-956f-4vf2
risk_score 4.2
exploitability 0.5
weighted_severity 8.3
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q4u6-6pbw-5bcq
Fixing_vulnerabilities
0
url VCID-3qmf-2f2m-fbes
vulnerability_id VCID-3qmf-2f2m-fbes
summary 
Improper Input Validation
index.js in brace-expansion before 1.1.7 is vulnerable to Regular Expression Denial of Service (ReDoS) attacks, as demonstrated by an expand argument containing many comma characters.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-18077.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-18077.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2017-18077
reference_id
reference_type
scores
0
value 0.0052
scoring_system epss
scoring_elements 0.66858
published_at 2026-04-21T12:55:00Z
1
value 0.0052
scoring_system epss
scoring_elements 0.66828
published_at 2026-04-13T12:55:00Z
2
value 0.0052
scoring_system epss
scoring_elements 0.66875
published_at 2026-04-18T12:55:00Z
3
value 0.0052
scoring_system epss
scoring_elements 0.66861
published_at 2026-04-16T12:55:00Z
4
value 0.0052
scoring_system epss
scoring_elements 0.66754
published_at 2026-04-01T12:55:00Z
5
value 0.0052
scoring_system epss
scoring_elements 0.66794
published_at 2026-04-02T12:55:00Z
6
value 0.0052
scoring_system epss
scoring_elements 0.66819
published_at 2026-04-04T12:55:00Z
7
value 0.0052
scoring_system epss
scoring_elements 0.66791
published_at 2026-04-07T12:55:00Z
8
value 0.0052
scoring_system epss
scoring_elements 0.6684
published_at 2026-04-08T12:55:00Z
9
value 0.0052
scoring_system epss
scoring_elements 0.66854
published_at 2026-04-09T12:55:00Z
10
value 0.0052
scoring_system epss
scoring_elements 0.66874
published_at 2026-04-11T12:55:00Z
11
value 0.0052
scoring_system epss
scoring_elements 0.6686
published_at 2026-04-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2017-18077
2
reference_url https://bugs.debian.org/862712
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://bugs.debian.org/862712
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18077
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18077
4
reference_url https://github.com/juliangruber/brace-expansion
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/juliangruber/brace-expansion
5
reference_url https://github.com/juliangruber/brace-expansion/issues/33
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/juliangruber/brace-expansion/issues/33
6
reference_url https://github.com/juliangruber/brace-expansion/pull/35
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/juliangruber/brace-expansion/pull/35
7
reference_url https://github.com/juliangruber/brace-expansion/pull/35/commits/b13381281cead487cbdbfd6a69fb097ea5e456c3
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/juliangruber/brace-expansion/pull/35/commits/b13381281cead487cbdbfd6a69fb097ea5e456c3
8
reference_url https://nodesecurity.io/advisories/338
reference_id
reference_type
scores
url https://nodesecurity.io/advisories/338
9
reference_url https://www.npmjs.com/advisories/338
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/338
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1448380
reference_id 1448380
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1448380
11
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862712
reference_id 862712
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862712
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2017-18077
reference_id CVE-2017-18077
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2017-18077
13
reference_url https://github.com/advisories/GHSA-832h-xg76-4gv6
reference_id GHSA-832h-xg76-4gv6
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-832h-xg76-4gv6
14
reference_url https://access.redhat.com/errata/RHSA-2020:2625
reference_id RHSA-2020:2625
reference_type
scores
url https://access.redhat.com/errata/RHSA-2020:2625
fixed_packages
0
url pkg:deb/debian/node-brace-expansion@1.1.8-1?distro=trixie
purl pkg:deb/debian/node-brace-expansion@1.1.8-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-brace-expansion@1.1.8-1%3Fdistro=trixie
1
url pkg:deb/debian/node-brace-expansion@2.0.0-1?distro=trixie
purl pkg:deb/debian/node-brace-expansion@2.0.0-1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-q2nx-7z24-13dd
1
vulnerability VCID-q4u6-6pbw-5bcq
2
vulnerability VCID-ugqu-gsa9-y7fq
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-brace-expansion@2.0.0-1%3Fdistro=trixie
2
url pkg:deb/debian/node-brace-expansion@2.0.1-2?distro=trixie
purl pkg:deb/debian/node-brace-expansion@2.0.1-2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-q2nx-7z24-13dd
1
vulnerability VCID-q4u6-6pbw-5bcq
2
vulnerability VCID-ugqu-gsa9-y7fq
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-brace-expansion@2.0.1-2%3Fdistro=trixie
3
url pkg:deb/debian/node-brace-expansion@2.0.1%2B~1.1.0-2?distro=trixie
purl pkg:deb/debian/node-brace-expansion@2.0.1%2B~1.1.0-2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-q2nx-7z24-13dd
1
vulnerability VCID-q4u6-6pbw-5bcq
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-brace-expansion@2.0.1%252B~1.1.0-2%3Fdistro=trixie
4
url pkg:deb/debian/node-brace-expansion@2.0.3%2B~1.1.2-1?distro=trixie
purl pkg:deb/debian/node-brace-expansion@2.0.3%2B~1.1.2-1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-q4u6-6pbw-5bcq
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-brace-expansion@2.0.3%252B~1.1.2-1%3Fdistro=trixie
5
url pkg:deb/debian/node-brace-expansion@2.0.3%2B~1.1.2-2?distro=trixie
purl pkg:deb/debian/node-brace-expansion@2.0.3%2B~1.1.2-2?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-brace-expansion@2.0.3%252B~1.1.2-2%3Fdistro=trixie
aliases CVE-2017-18077, GHSA-832h-xg76-4gv6
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3qmf-2f2m-fbes
1
url VCID-q2nx-7z24-13dd
vulnerability_id VCID-q2nx-7z24-13dd
summary 
brace-expansion: Zero-step sequence causes process hang and memory exhaustion
### Impact

A brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory.

The loop in question:

https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184

`test()` is one of

https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113

The increment is computed as `Math.abs(0) = 0`, so the loop variable never advances. On a test machine, the process hangs for about 3.5 seconds and allocates roughly 1.9 GB of memory before throwing a `RangeError`. Setting max to any value has no effect because the limit is only checked at the output combination step, not during sequence generation.

This affects any application that passes untrusted strings to expand(), or by error sets a step value of `0`. That includes tools built on minimatch/glob that resolve patterns from CLI arguments or config files. The input needed is just 10 bytes.

### Patches


Upgrade to versions
- 5.0.5+

A step increment of 0 is now sanitized to 1, which matches bash behavior.

### Workarounds

Sanitize strings passed to `expand()` to ensure a step value of `0` is not used.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33750.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33750.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33750
reference_id
reference_type
scores
0
value 0.00022
scoring_system epss
scoring_elements 0.05995
published_at 2026-04-21T12:55:00Z
1
value 0.00058
scoring_system epss
scoring_elements 0.18207
published_at 2026-04-16T12:55:00Z
2
value 0.00058
scoring_system epss
scoring_elements 0.18263
published_at 2026-04-13T12:55:00Z
3
value 0.00058
scoring_system epss
scoring_elements 0.18315
published_at 2026-04-12T12:55:00Z
4
value 0.00058
scoring_system epss
scoring_elements 0.18362
published_at 2026-04-11T12:55:00Z
5
value 0.00058
scoring_system epss
scoring_elements 0.18309
published_at 2026-04-08T12:55:00Z
6
value 0.00058
scoring_system epss
scoring_elements 0.18225
published_at 2026-04-07T12:55:00Z
7
value 0.00058
scoring_system epss
scoring_elements 0.18515
published_at 2026-04-04T12:55:00Z
8
value 0.00058
scoring_system epss
scoring_elements 0.18461
published_at 2026-04-02T12:55:00Z
9
value 0.00058
scoring_system epss
scoring_elements 0.1822
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33750
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33750
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33750
3
reference_url https://github.com/juliangruber/brace-expansion
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/juliangruber/brace-expansion
4
reference_url https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/
url https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113
5
reference_url https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/
url https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184
6
reference_url https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/
url https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5
7
reference_url https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/
url https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2
8
reference_url https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/
url https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a
9
reference_url https://github.com/juliangruber/brace-expansion/issues/98
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/
url https://github.com/juliangruber/brace-expansion/issues/98
10
reference_url https://github.com/juliangruber/brace-expansion/pull/95
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/
url https://github.com/juliangruber/brace-expansion/pull/95
11
reference_url https://github.com/juliangruber/brace-expansion/pull/96
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/
url https://github.com/juliangruber/brace-expansion/pull/96
12
reference_url https://github.com/juliangruber/brace-expansion/pull/97
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/
url https://github.com/juliangruber/brace-expansion/pull/97
13
reference_url https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/
url https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33750
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33750
15
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132163
reference_id 1132163
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132163
16
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2452285
reference_id 2452285
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2452285
17
reference_url https://github.com/advisories/GHSA-f886-m6hf-6m8v
reference_id GHSA-f886-m6hf-6m8v
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-f886-m6hf-6m8v
fixed_packages
0
url pkg:deb/debian/node-brace-expansion@2.0.3%2B~1.1.2-1?distro=trixie
purl pkg:deb/debian/node-brace-expansion@2.0.3%2B~1.1.2-1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-q4u6-6pbw-5bcq
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-brace-expansion@2.0.3%252B~1.1.2-1%3Fdistro=trixie
1
url pkg:deb/debian/node-brace-expansion@2.0.3%2B~1.1.2-2?distro=trixie
purl pkg:deb/debian/node-brace-expansion@2.0.3%2B~1.1.2-2?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-brace-expansion@2.0.3%252B~1.1.2-2%3Fdistro=trixie
aliases CVE-2026-33750, GHSA-f886-m6hf-6m8v
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q2nx-7z24-13dd
2
url VCID-ugqu-gsa9-y7fq
vulnerability_id VCID-ugqu-gsa9-y7fq
summary 
brace-expansion Regular Expression Denial of Service vulnerability
A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is `a5b98a4f30d7813266b221435e1eaaf25a1b0ac5`. It is recommended to upgrade the affected component.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-5889.json
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-5889.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-5889
reference_id
reference_type
scores
0
value 0.00032
scoring_system epss
scoring_elements 0.09387
published_at 2026-04-04T12:55:00Z
1
value 0.00032
scoring_system epss
scoring_elements 0.09338
published_at 2026-04-02T12:55:00Z
2
value 0.00092
scoring_system epss
scoring_elements 0.2577
published_at 2026-04-16T12:55:00Z
3
value 0.00092
scoring_system epss
scoring_elements 0.25769
published_at 2026-04-13T12:55:00Z
4
value 0.00092
scoring_system epss
scoring_elements 0.25825
published_at 2026-04-12T12:55:00Z
5
value 0.00092
scoring_system epss
scoring_elements 0.25866
published_at 2026-04-11T12:55:00Z
6
value 0.00092
scoring_system epss
scoring_elements 0.25855
published_at 2026-04-09T12:55:00Z
7
value 0.00092
scoring_system epss
scoring_elements 0.25804
published_at 2026-04-08T12:55:00Z
8
value 0.00092
scoring_system epss
scoring_elements 0.25732
published_at 2026-04-07T12:55:00Z
9
value 0.00092
scoring_system epss
scoring_elements 0.25725
published_at 2026-04-21T12:55:00Z
10
value 0.00092
scoring_system epss
scoring_elements 0.25753
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-5889
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5889
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5889
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 2.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://gist.github.com/mmmsssttt404/37a40ce7d6e5ca604858fe30814d9466
reference_id
reference_type
scores
0
value 2.1
scoring_system cvssv2
scoring_elements AV:N/AC:H/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C
1
value 3.1
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
2
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
3
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
4
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
5
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-09T18:45:24Z/
url https://gist.github.com/mmmsssttt404/37a40ce7d6e5ca604858fe30814d9466
5
reference_url https://github.com/juliangruber/brace-expansion
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/juliangruber/brace-expansion
6
reference_url https://github.com/juliangruber/brace-expansion/commit/0b6a9781e18e9d2769bb2931f4856d1360243ed2
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/juliangruber/brace-expansion/commit/0b6a9781e18e9d2769bb2931f4856d1360243ed2
7
reference_url https://github.com/juliangruber/brace-expansion/commit/15f9b3c75ebf5988198241fecaebdc45eff28a9f
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/juliangruber/brace-expansion/commit/15f9b3c75ebf5988198241fecaebdc45eff28a9f
8
reference_url https://github.com/juliangruber/brace-expansion/commit/36603d5f3599a37af9e85eda30acd7d28599c36e
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/juliangruber/brace-expansion/commit/36603d5f3599a37af9e85eda30acd7d28599c36e
9
reference_url https://github.com/juliangruber/brace-expansion/commit/c3c73c8b088defc70851843be88ccc3af08e7217
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/juliangruber/brace-expansion/commit/c3c73c8b088defc70851843be88ccc3af08e7217
10
reference_url https://github.com/juliangruber/brace-expansion/pull/65/commits/a5b98a4f30d7813266b221435e1eaaf25a1b0ac5
reference_id
reference_type
scores
0
value 2.1
scoring_system cvssv2
scoring_elements AV:N/AC:H/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C
1
value 3.1
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
2
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
3
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
4
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
5
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-09T18:45:24Z/
url https://github.com/juliangruber/brace-expansion/pull/65/commits/a5b98a4f30d7813266b221435e1eaaf25a1b0ac5
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-5889
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-5889
12
reference_url https://vuldb.com/?ctiid.311660
reference_id
reference_type
scores
0
value 2.1
scoring_system cvssv2
scoring_elements AV:N/AC:H/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C
1
value 3.1
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
2
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
3
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
4
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
5
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-09T18:45:24Z/
url https://vuldb.com/?ctiid.311660
13
reference_url https://vuldb.com/?id.311660
reference_id
reference_type
scores
0
value 2.1
scoring_system cvssv2
scoring_elements AV:N/AC:H/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C
1
value 3.1
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
2
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
3
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
4
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
5
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-09T18:45:24Z/
url https://vuldb.com/?id.311660
14
reference_url https://vuldb.com/?submit.585717
reference_id
reference_type
scores
0
value 2.1
scoring_system cvssv2
scoring_elements AV:N/AC:H/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C
1
value 3.1
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
2
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
3
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
4
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
5
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-09T18:45:24Z/
url https://vuldb.com/?submit.585717
15
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107695
reference_id 1107695
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107695
16
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2371270
reference_id 2371270
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2371270
17
reference_url https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
reference_id GHSA-v6h2-p8h4-qcjw
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
18
reference_url https://access.redhat.com/errata/RHSA-2025:21378
reference_id RHSA-2025:21378
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:21378
19
reference_url https://access.redhat.com/errata/RHSA-2025:21704
reference_id RHSA-2025:21704
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:21704
20
reference_url https://github.com/juliangruber/brace-expansion/releases/tag/v4.0.1
reference_id v4.0.1
reference_type
scores
0
value 2.1
scoring_system cvssv2
scoring_elements AV:N/AC:H/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C
1
value 3.1
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
2
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
3
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-09T18:45:24Z/
url https://github.com/juliangruber/brace-expansion/releases/tag/v4.0.1
fixed_packages
0
url pkg:deb/debian/node-brace-expansion@2.0.1%2B~1.1.0-2?distro=trixie
purl pkg:deb/debian/node-brace-expansion@2.0.1%2B~1.1.0-2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-q2nx-7z24-13dd
1
vulnerability VCID-q4u6-6pbw-5bcq
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-brace-expansion@2.0.1%252B~1.1.0-2%3Fdistro=trixie
1
url pkg:deb/debian/node-brace-expansion@2.0.3%2B~1.1.2-1?distro=trixie
purl pkg:deb/debian/node-brace-expansion@2.0.3%2B~1.1.2-1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-q4u6-6pbw-5bcq
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-brace-expansion@2.0.3%252B~1.1.2-1%3Fdistro=trixie
2
url pkg:deb/debian/node-brace-expansion@2.0.3%2B~1.1.2-2?distro=trixie
purl pkg:deb/debian/node-brace-expansion@2.0.3%2B~1.1.2-2?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-brace-expansion@2.0.3%252B~1.1.2-2%3Fdistro=trixie
aliases CVE-2025-5889, GHSA-v6h2-p8h4-qcjw
risk_score 1.4
exploitability 0.5
weighted_severity 2.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ugqu-gsa9-y7fq
Risk_score4.2
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:deb/debian/node-brace-expansion@2.0.3%252B~1.1.2-1%3Fdistro=trixie