CVE-2025-5889

CVSS v3.1

3.1

Low

Vector

AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions juliangruber brace-expansion versions 1.1.11 through 4.0.0

Description A vulnerability was found in the function expand of the file index.js, leading to inefficient regular expression complexity. The attack may be launched remotely, with a rather high complexity. The exploitation is known to be difficult, and the exploit has been disclosed to the public.

Recommendations To address this issue, upgrade to version 1.1.12, 2.0.2, 3.0.1, or 4.0.1. As a temporary workaround, consider disabling the expand function until a patch is available. Restrict access to the vulnerable index.js file to minimize the risk of exploitation.

Exploit

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1333CWE-400

Related Identifiers

AZL-63689

AZL-63692

AZL-63704

AZL-63707

AZL-63881

BDU:2026-01715

CVE-2025-5889

GHSA-V6H2-P8H4-QCJW

OESA-2025-1645

OPENSUSE-SU-2025:15269-1

OPENSUSE-SU-2025:15270-1

OPENSUSE-SU-2025:15271-1

OPENSUSE-SU-2025:15273-1

OPENSUSE-SU-2025:15274-1

OPENSUSE-SU-2025:15275-1

OPENSUSE-SU-2025:15276-1

OPENSUSE-SU-2025:15277-1

OPENSUSE-SU-2025:15278-1

OPENSUSE-SU-2025:15279-1

OPENSUSE-SU-2025:15280-1

OPENSUSE-SU-2025:15582-1

SUSE-SU-2025:3744-1

Affected Products

Astra Linux

Debian

Red Os

Suse

Brace-Expansion

CVE-2025-5889

Weakness Enumeration

Related Identifiers

Affected Products

References · 64