Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
Our security scan tool just scanned this critical CVE out -- GHSA-7h2j-956f-4vf2
GHSA-7h2j-956f-4vf2
@isaacs/brace-expansion is vulnerable to a Denial of Service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process.
Expected Behavior
No response
Steps To Reproduce
No response
Environment
- npm: 11.8.0
- Node.js:
- OS Name:
- System Model Name:
- npm config:
; copy and paste output from `npm config ls` here
Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
Our security scan tool just scanned this critical CVE out -- GHSA-7h2j-956f-4vf2
GHSA-7h2j-956f-4vf2
@isaacs/brace-expansion is vulnerable to a Denial of Service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process.
Expected Behavior
No response
Steps To Reproduce
No response
Environment
; copy and paste output from `npm config ls` here