Overview
braces is a Bash-like brace expansion, implemented in JavaScript.
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. It used a regular expression (^{(,+(?:({,+})),|,(?:({,+})),+)}) in order to detects empty braces. This can cause an impact of about 10 seconds matching time for data 50K characters long.
Regular Expression Denial of Service (ReDoS) Vulnerable module: braces Introduced through: react-scripts@2.1.1 Detailed paths Introduced through: project-hydro-website@hydrogen-dev/projecthydro.org#ad6d285bec4814b92bb7397709fceb4e34f0efcd › react-scripts@2.1.1 › jest@23.6.0 › jest-cli@23.6.0 › micromatch@2.3.11 › braces@1.8.5 Introduced through: project-hydro-website@hydrogen-dev/projecthydro.org#ad6d285bec4814b92bb7397709fceb4e34f0efcd › react-scripts@2.1.1 › jest@23.6.0 › jest-cli@23.6.0 › jest-haste-map@23.6.0 › micromatch@2.3.11 › braces@1.8.5 Introduced through: project-hydro-website@hydrogen-dev/projecthydro.org#ad6d285bec4814b92bb7397709fceb4e34f0efcd › react-scripts@2.1.1 › jest@23.6.0 › jest-cli@23.6.0 › jest-config@23.6.0 › micromatch@2.3.11 › braces@1.8.5 Remediation: Upgrade to react-scripts@3.0.0. …and 60 more
Overview braces is a Bash-like brace expansion, implemented in JavaScript.
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. It used a regular expression (^{(,+(?:({,+})),|,(?:({,+})),+)}) in order to detects empty braces. This can cause an impact of about 10 seconds matching time for data 50K characters long.