Debian Patches
Status for node-brace-expansion/2.0.3+~1.1.2-3
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| CVE-2026-25547.patch | Fix DoS via exponential brace expansion (CVE-2026-25547) Add a max parameter (default 100000) to limit the number of expansions and prevent denial of service attacks. |
not-needed | debian | https://github.com/isaacs/brace-expansion/commit/59d12f1e23accdec8c395ca824cf942c1fdea860 | ||
| CVE-2026-45149.patch | fix sequence DoS The brace-expansion library generates arbitrary strings containing a common prefix and suffix. From 5.0.0 to before 5.0.6, the max option was being applied too late. When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 million intermediate elements before the max limit is applied With max=10, the output is correctly limited to 10 items, but the process still allocates ~505 MB and spends ~800ms building the full intermediate array. |
Julian Gruber <julian@juliangruber.com> | not-needed | debian upstream | upstream, https://github.com/juliangruber/brace-expansion/commit/c0b095b |
All known versions for source package 'node-brace-expansion'
- 2.0.3+~1.1.2-3 (forky, sid)
- 2.0.1+~1.1.0-2 (trixie)
- 2.0.1-2 (bookworm)