node-brace-expansion - Debian Package Tracker

general

source: node-brace-expansion (main)
version: 2.0.3+~1.1.2-2
maintainer: Debian Javascript Maintainers (archive) (DMD)
uploaders: Sruthi Chandran [DMD]
arch: all
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.0.0-1
oldstable: 2.0.1-2
stable: 2.0.1+~1.1.0-2
testing: 2.0.3+~1.1.2-2
unstable: 2.0.3+~1.1.2-2

versioned links

2.0.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.0.1-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.0.1+~1.1.0-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.0.3+~1.1.2-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

node-brace-expansion

action needed

A new upstream version is available: 5.0.5+~1.1.2 high

A new upstream version 5.0.5+~1.1.2 is available, you should consider packaging it.

Created: 2026-04-06 Last update: 2026-04-13 00:30

2 security issues in trixie high

There are 2 open security issues in trixie.

2 important issues:

CVE-2026-25547: @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.
CVE-2026-33750: The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed to `expand()` to ensure a step value of `0` is not used.

Created: 2026-02-06 Last update: 2026-04-08 05:00

3 security issues in bullseye high

There are 3 open security issues in bullseye.

1 important issue:

CVE-2026-33750: The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed to `expand()` to ensure a step value of `0` is not used.

2 issues postponed or untriaged:

CVE-2025-5889: (postponed; to be fixed through a stable update) A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to upgrade the affected component.
CVE-2026-25547: (postponed; to be fixed through a stable update) @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.

Created: 2026-03-28 Last update: 2026-04-08 05:00

3 security issues in bookworm high

There are 3 open security issues in bookworm.

2 important issues:

CVE-2026-25547: @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.
CVE-2026-33750: The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed to `expand()` to ensure a step value of `0` is not used.

1 issue left for the package maintainer to handle:

CVE-2025-5889: (needs triaging) A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to upgrade the affected component.

You can find information about how to handle this issue in the security team's documentation.

Created: 2025-06-11 Last update: 2026-04-08 05:00

1 new commit since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 03cf70442aa4ebd3a87f41914234899009c4d0f0
Author: Xavier Guimard <yadd@debian.org>
Date:   Mon Apr 6 20:00:47 2026 +0200

    Fix bad CVE name

Created: 2026-04-06 Last update: 2026-04-06 19:30

news

[rss feed]

[2026-04-08] node-brace-expansion 2.0.3+~1.1.2-2 MIGRATED to testing (Debian testing watch)
[2026-04-06] Accepted node-brace-expansion 2.0.3+~1.1.2-2 (source) into unstable (Xavier Guimard)
[2026-04-02] node-brace-expansion 2.0.3+~1.1.2-1 MIGRATED to testing (Debian testing watch)
[2026-03-29] Accepted node-brace-expansion 2.0.3+~1.1.2-1 (source) into unstable (Xavier Guimard)
[2025-06-17] node-brace-expansion 2.0.1+~1.1.0-2 MIGRATED to testing (Debian testing watch)
[2025-06-12] Accepted node-brace-expansion 2.0.1+~1.1.0-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2023-09-24] node-brace-expansion 2.0.1+~1.1.0-1 MIGRATED to testing (Debian testing watch)
[2023-09-22] Accepted node-brace-expansion 2.0.1+~1.1.0-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-11-25] node-brace-expansion 2.0.1-2 MIGRATED to testing (Debian testing watch)
[2022-11-22] Accepted node-brace-expansion 2.0.1-2 (source) into unstable (Jelmer Vernooĳ) (signed by: Jelmer Vernooij)
[2022-01-01] node-brace-expansion 2.0.1-1 MIGRATED to testing (Debian testing watch)
[2021-12-30] Accepted node-brace-expansion 2.0.1-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2020-11-04] node-brace-expansion 2.0.0-1 MIGRATED to testing (Debian testing watch)
[2020-11-02] Accepted node-brace-expansion 2.0.0-1 (source) into unstable (Xavier Guimard)
[2020-01-17] node-brace-expansion 1.1.11-1 MIGRATED to testing (Debian testing watch)
[2020-01-14] Accepted node-brace-expansion 1.1.11-1 (source) into unstable (Xavier Guimard)
[2018-09-29] Accepted node-brace-expansion 1.1.8-1~bpo9+1 (source all) into stretch-backports, stretch-backports (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2017-08-06] Accepted node-brace-expansion 1.1.6-1+deb9u1 (source all) into proposed-updates->stable-new, proposed-updates (Sruthi Chandran) (signed by: Praveen Arimbrathodiyil)
[2017-07-04] node-brace-expansion 1.1.8-1 MIGRATED to testing (Debian testing watch)
[2017-06-28] Accepted node-brace-expansion 1.1.8-1 (source) into unstable (Sruthi Chandran)
[2016-11-06] node-brace-expansion 1.1.6-1 MIGRATED to testing (Debian testing watch)
[2016-10-26] Accepted node-brace-expansion 1.1.6-1 (source all) into unstable, unstable (Sruthi Chandran) (signed by: Praveen Arimbrathodiyil)

bugs [bug history graph]

all: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.0.1+~1.1.0-2