Juliangruber · Brace-Expansion · CVE-2025-5889
**Name of the Vulnerable Software and Affected Versions**
juliangruber brace-expansion versions 1.1.11 through 4.0.0
**Description**
A vulnerability was found in the function `expand` of the file index.js, leading to inefficient regular expression complexity. The attack may be launched remotely, with a rather high complexity. The exploitation is known to be difficult, and the exploit has been disclosed to the public.
**Recommendations**
To address this issue, upgrade to version 1.1.12, 2.0.2, 3.0.1, or 4.0.1.
As a temporary workaround, consider disabling the `expand` function until a patch is available.
Restrict access to the vulnerable `index.js` file to minimize the risk of exploitation.