Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/1055200?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/1055200?format=api", "purl": "pkg:deb/debian/node-brace-expansion@2.0.3%2B~1.1.2-2", "type": "deb", "namespace": "debian", "name": "node-brace-expansion", "version": "2.0.3+~1.1.2-2", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/24912?format=api", "vulnerability_id": "VCID-q2nx-7z24-13dd", "summary": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion\n### Impact\n\nA brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory.\n\nThe loop in question:\n\nhttps://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184\n\n`test()` is one of\n\nhttps://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113\n\nThe increment is computed as `Math.abs(0) = 0`, so the loop variable never advances. On a test machine, the process hangs for about 3.5 seconds and allocates roughly 1.9 GB of memory before throwing a `RangeError`. Setting max to any value has no effect because the limit is only checked at the output combination step, not during sequence generation.\n\nThis affects any application that passes untrusted strings to expand(), or by error sets a step value of `0`. That includes tools built on minimatch/glob that resolve patterns from CLI arguments or config files. The input needed is just 10 bytes.\n\n### Patches\n\n\nUpgrade to versions\n- 5.0.5+\n\nA step increment of 0 is now sanitized to 1, which matches bash behavior.\n\n### Workarounds\n\nSanitize strings passed to `expand()` to ensure a step value of `0` is not used.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33750.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33750.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33750", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06125", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06095", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.05995", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.06776", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.06902", "published_at": "2026-05-14T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.06628", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.06648", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.06864", "published_at": "2026-05-12T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.06846", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.06843", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18515", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.1822", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18207", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18225", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18309", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18362", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18315", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18263", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18461", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33750" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33750", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33750" }, { "reference_url": "https://github.com/juliangruber/brace-expansion", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/juliangruber/brace-expansion" }, { "reference_url": "https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/" } ], "url": "https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113" }, { "reference_url": "https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/" } ], "url": "https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184" }, { "reference_url": "https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/" } ], "url": "https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5" }, { "reference_url": "https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/" } ], "url": "https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2" }, { "reference_url": "https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/" } ], "url": "https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a" }, { "reference_url": "https://github.com/juliangruber/brace-expansion/issues/98", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/" } ], "url": "https://github.com/juliangruber/brace-expansion/issues/98" }, { "reference_url": "https://github.com/juliangruber/brace-expansion/pull/95", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/" } ], "url": "https://github.com/juliangruber/brace-expansion/pull/95" }, { "reference_url": "https://github.com/juliangruber/brace-expansion/pull/96", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/" } ], "url": "https://github.com/juliangruber/brace-expansion/pull/96" }, { "reference_url": "https://github.com/juliangruber/brace-expansion/pull/97", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/" } ], "url": "https://github.com/juliangruber/brace-expansion/pull/97" }, { "reference_url": "https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/" } ], "url": "https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33750", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33750" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132163", "reference_id": "1132163", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132163" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452285", "reference_id": "2452285", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452285" }, { "reference_url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v", "reference_id": "GHSA-f886-m6hf-6m8v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1055200?format=api", "purl": "pkg:deb/debian/node-brace-expansion@2.0.3%2B~1.1.2-2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-brace-expansion@2.0.3%252B~1.1.2-2" } ], "aliases": [ "CVE-2026-33750", "GHSA-f886-m6hf-6m8v" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-q2nx-7z24-13dd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/21616?format=api", "vulnerability_id": "VCID-q4u6-6pbw-5bcq", "summary": "@isaacs/brace-expansion has Uncontrolled Resource Consumption\n### Summary\n\n`@isaacs/brace-expansion` is vulnerable to a Denial of Service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process.\n\n### Details\n\nThe vulnerability occurs because `@isaacs/brace-expansion` expands brace expressions without any upper bound or complexity limit. Expansion is performed eagerly and synchronously, meaning the full result set is generated before returning control to the caller.\n\nFor example, the following input:\n\n```\n{0..99}{0..99}{0..99}{0..99}{0..99}\n```\n\nproduces:\n\n```\n100^5 = 10,000,000,000 combinations\n```\n\nThis exponential growth can quickly overwhelm the event loop and heap memory, resulting in process termination.\n\n### Proof of Concept\n\nThe following script reliably triggers the issue.\n\nCreate `poc.js`:\n\n```js\nconst { expand } = require('@isaacs/brace-expansion');\n\nconst pattern = '{0..99}{0..99}{0..99}{0..99}{0..99}';\n\nconsole.log('Starting expansion...');\nexpand(pattern);\n```\n\nRun it:\n\n```bash\nnode poc.js\n```\n\nThe process will freeze and typically crash with an error such as:\n\n```\nFATAL ERROR: JavaScript heap out of memory\n```\n\n### Impact\n\nThis is a denial of service vulnerability. Any application or downstream dependency that uses `@isaacs/brace-expansion` on untrusted input may be vulnerable to a single-request crash.\n\nAn attacker does not require authentication and can use a very small payload to:\n\n* Trigger exponential computation\n* Exhaust memory and CPU resources\n* Block the event loop\n* Crash Node.js services relying on this library", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25547.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25547.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25547", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05144", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05161", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.0519", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05173", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05139", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05088", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05118", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05773", "published_at": "2026-05-14T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05412", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05366", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05369", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05532", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05566", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05603", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05609", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05664", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05752", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05764", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05767", "published_at": "2026-05-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25547" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25547", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25547" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/isaacs/brace-expansion", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/isaacs/brace-expansion" }, { "reference_url": "https://github.com/isaacs/brace-expansion/security/advisories/GHSA-7h2j-956f-4vf2", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:24:50Z/" } ], "url": "https://github.com/isaacs/brace-expansion/security/advisories/GHSA-7h2j-956f-4vf2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25547", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25547" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127313", "reference_id": "1127313", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127313" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436942", "reference_id": "2436942", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436942" }, { "reference_url": "https://github.com/advisories/GHSA-7h2j-956f-4vf2", "reference_id": "GHSA-7h2j-956f-4vf2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7h2j-956f-4vf2" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7080", "reference_id": "RHSA-2026:7080", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7080" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7123", "reference_id": "RHSA-2026:7123", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7123" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7302", "reference_id": "RHSA-2026:7302", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7302" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7310", "reference_id": "RHSA-2026:7310", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7310" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7350", "reference_id": "RHSA-2026:7350", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7350" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7675", "reference_id": "RHSA-2026:7675", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7675" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7983", "reference_id": "RHSA-2026:7983", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7983" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1055200?format=api", "purl": "pkg:deb/debian/node-brace-expansion@2.0.3%2B~1.1.2-2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-brace-expansion@2.0.3%252B~1.1.2-2" } ], "aliases": [ "CVE-2026-25547", "GHSA-7h2j-956f-4vf2" ], "risk_score": 4.2, "exploitability": "0.5", "weighted_severity": "8.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-q4u6-6pbw-5bcq" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-brace-expansion@2.0.3%252B~1.1.2-2" }