#VU112890 Inefficient regular expression complexity in brace-expansion - CVE-2025-5889

Cybersecurity Help s.r.o.

Published: 2025-07-15

Vulnerability identifier: #VU112890

Vulnerability risk: Low

CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-5889

CWE-ID: CWE-1333

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
brace-expansion
Other software / Other software solutions

Vendor: Julian Gruber

Description

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions. A remote user can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

brace-expansion: 1.0.0 - 4.0.0

External links
https://gist.github.com/mmmsssttt404/37a40ce7d6e5ca604858fe30814d9466
https://github.com/juliangruber/brace-expansion/pull/65/commits/a5b98a4f30d7813266b221435e1eaaf25a1b0ac5
https://github.com/juliangruber/brace-expansion/releases/tag/v4.0.1
https://vuldb.com/?ctiid.311660
https://vuldb.com/?id.311660
https://vuldb.com/?submit.585717

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM QRadar Investigation Assistant

Multiple vulnerabilities in IBM App Connect Enterprise

openEuler update for nodejs-brace-expansion

Multiple vulnerabilities in IBM Verify Identity Access Digital Credentials

Inefficient regular expression complexity in juliangruber brace-expansion