Overview
About vulnerability
The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g.,{1..2..0}) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed to expand() to ensure a step value of 0 is not used.
Details
- Affected product:
- @bazel/typescript , @microsoft/api-extractor , @rollup/plugin-commonjs , AlmaLinux 9.2 ESU , Next.js , Node.js , Protocol Buffers , React , TuxCare 9.6 ESU , archiver-utils , autodll-webpack-plugin , babel , babel-plugin-module-resolver , brace-expansion , cacache , clang-format , components , copy-concurrently , del , ejs , eslint-import-resolver-typescript , eslint-plugin-import , eslint-plugin-jsx-a11y , eslint-plugin-react , filelist , firefox-profile , fs-extra , fstream , glob , globby , hard-source-webpack-plugin , jake , jasmine-npm , jpm , karma , loopback , loopback-connector , loopback-connector-remote , loopback-datasource-juggler , loopback-phase , maximatch , minimatch , move-concurrently , move-file , multimatch , nuxt , offline-plugin , pdfjs-dist , postcss-functions , postcss-url , protractor , purgecss , recursive-copy , recursive-readdir , remix , rimraf , selenium-webdriver , shelljs , sort-package-json , strong-error-handler , strong-globalize , strong-remoting , style-resources-loader , tailwindcss , tar , terser-webpack-plugin , tmp , uglifyjs-webpack-plugin , webdriver-js-extender , webdriver-manager , webpack , webpack-dev-server , yamljs
- Affected packages:
- brace-expansion (+286 more)
{1..2..0}) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed to expand() to ensure a step value of 0 is not used.