brace-expansion

npm3 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting brace-expansionpage 1 of 1

CVE-2017-18077HIGHCVSS 7.5EG 7.5✓ Fixed in 1.1.7
2018-01-27
index.js in brace-expansion before 1.1.7 is vulnerable to Regular Expression Denial of Service (ReDoS) attacks, as demonstrated by an expand argument containing many comma characters.
CVE-2025-5889LOWCVSS 3.1EG 3.1✓ Fixed in 4.0.1
2025-06-09
vulnerable: 4.0.0
A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular e…
CVE-2026-33750MEDIUMCVSS 6.5EG 6.5✓ Fixed in 1.1.13
2026-03-27
The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loo…

Check whether brace-expansion is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for brace-expansion CVEs against the assets you own.

Start Free Scan →