Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
A vulnerability was found in Braces versions prior to 2.3.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
CVE-2018-1109 - Medium Severity Vulnerability
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-2.3.0.tgz
Path to dependency file: /wagtail/package.json
Path to vulnerable library: /node_modules/findup-sync/node_modules/braces/package.json
Dependency Hierarchy: - gulp-3.9.1.tgz (Root Library) - liftoff-2.5.0.tgz - findup-sync-2.0.0.tgz - micromatch-3.1.4.tgz - :x: **braces-2.3.0.tgz** (Vulnerable Library)
Found in base branch: master
A vulnerability was found in Braces versions prior to 2.3.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
Publish Date: 2021-03-30
URL: CVE-2018-1109
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://github.com/advisories/GHSA-cwfw-4gq5-mrqx
Release Date: 2021-03-30
Fix Resolution (braces): 2.3.1
Direct dependency fix Resolution (gulp): 4.0.0
Step up your Open Source Security Game with Mend here