Vulnerabilities

 1 via 2 paths

Dependencies

 83

Source

 GitHub

Commit

 9ff6d23c

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
Status
  • 1
  • 0
  • 0

high severity
new

Infinite loop

  • Vulnerable module: brace-expansion
  • Introduced through: ejs@3.1.10 and ejs-mate@4.0.0

Detailed paths

  • Introduced through: sinophonia@essteer/sinophonia#9ff6d23c3ae01a62c48b4b8253f9e56ca61df57b ejs@3.1.10 jake@10.9.4 filelist@1.0.6 minimatch@5.1.9 brace-expansion@2.0.3
    Remediation: Upgrade to ejs@5.0.1.
  • Introduced through: sinophonia@essteer/sinophonia#9ff6d23c3ae01a62c48b4b8253f9e56ca61df57b ejs-mate@4.0.0 ejs@3.1.10 jake@10.9.4 filelist@1.0.6 minimatch@5.1.9 brace-expansion@2.0.3

Overview

brace-expansion is a Brace expansion as known from sh/bash

Affected versions of this package are vulnerable to Infinite loop through the expand function when processing a brace pattern with a zero step value. An attacker can cause the process to hang and exhaust system memory by supplying specially crafted input, such as {1..2..0}. This can lead to significant resource consumption and denial of service.

Workaround

This vulnerability can be mitigated by sanitizing strings passed to expand to ensure a step value of 0 is not used.

Remediation

Upgrade brace-expansion to version 5.0.5 or higher.

References

Infinite loop vulnerability report