Vulnerabilities

2 via 2 paths

Dependencies

20

Source

GitHub

Find, fix and prevent vulnerabilities in your code.

Severity
  • 2
Status
  • 2
  • 0
  • 0

high severity
new

Inefficient Algorithmic Complexity

  • Vulnerable module: brace-expansion
  • Introduced through: brace-expansion@4.0.1

Detailed paths

  • Introduced through: vscode-fileutils@sleistner/vscode-fileutils brace-expansion@4.0.1
    Remediation: Upgrade to brace-expansion@5.0.7.

Overview

brace-expansion is a Brace expansion as known from sh/bash

Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity via the expand function. An attacker can cause excessive CPU consumption and block the event loop by supplying a specially crafted string containing multiple consecutive non-expanding '{}' brace groups. The max option does not prevent this issue, as it only limits the output size and not the computational workload.

Remediation

Upgrade brace-expansion to version 5.0.7 or higher.

References

high severity

Infinite loop

  • Vulnerable module: brace-expansion
  • Introduced through: brace-expansion@4.0.1

Detailed paths

  • Introduced through: vscode-fileutils@sleistner/vscode-fileutils brace-expansion@4.0.1
    Remediation: Upgrade to brace-expansion@5.0.5.

Overview

brace-expansion is a Brace expansion as known from sh/bash

Affected versions of this package are vulnerable to Infinite loop through the expand function when processing a brace pattern with a zero step value. An attacker can cause the process to hang and exhaust system memory by supplying specially crafted input, such as {1..2..0}. This can lead to significant resource consumption and denial of service.

Workaround

This vulnerability can be mitigated by sanitizing strings passed to expand to ensure a step value of 0 is not used.

Remediation

Upgrade brace-expansion to version 1.1.13, 2.0.3, 3.0.2, 5.0.5 or higher.

References