Hi,

The following vulnerability was published for node-brace-expansion.

CVE-2025-5889[0]:
| A vulnerability was found in juliangruber brace-expansion up to
| 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected
| by this issue is the function expand of the file index.js. The
| manipulation leads to inefficient regular expression complexity. The
| attack may be launched remotely. The complexity of an attack is
| rather high. The exploitation is known to be difficult. The exploit
| has been disclosed to the public and may be used. Upgrading to
| version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this
| issue. The name of the patch is
| a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to
| upgrade the affected component.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-5889
https://www.cve.org/CVERecord?id=CVE-2025-5889
[1] https://github.com/juliangruber/brace-expansion/pull/65
[2] https://github.com/juliangruber/brace-expansion/commit/0b6a9781e18e9d2769bb2931f4856d1360243ed2

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Hello,

Bug #1107695 in node-brace-expansion reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/js-team/node-brace-expansion/-/commit/e86630eb742cbef33dd11026c711e6414f1dc511

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1107695

We believe that the bug you reported is fixed in the latest version of
node-brace-expansion, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1107695@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd <yadd@debian.org> (supplier of updated node-brace-expansion package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 12 Jun 2025 11:55:12 +0200
Source: node-brace-expansion
Architecture: source
Version: 2.0.1+~1.1.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Yadd <yadd@debian.org>
Closes: 1107695
Changes:
 node-brace-expansion (2.0.1+~1.1.0-2) unstable; urgency=medium
 .
   * Declare compliance with policy 4.7.2
   * Fix potential ReDoS vulnerability or inefficient regular expression
     (Closes: #1107695, CVE-2025-5889)
Checksums-Sha1:
 0babe77122efb5d70dd12e70c93b9cbcc2296ed3 2578 node-brace-expansion_2.0.1+~1.1.0-2.dsc
 a6e4db12b50c5e335c9b1d246ea9e66ef778db3f 3948 node-brace-expansion_2.0.1+~1.1.0-2.debian.tar.xz
Checksums-Sha256:
 28cfc7eb03f58eff8bd197945f3cc06fd379fc9e2642a74a50b7d7ee3d77d9b2 2578 node-brace-expansion_2.0.1+~1.1.0-2.dsc
 b1af64846423fa2f488e9664c6618000b65846b0cb937beea481d7de8d9c01f3 3948 node-brace-expansion_2.0.1+~1.1.0-2.debian.tar.xz
Files:
 65e51bc4b5076189fd7600a0376a8fe8 2578 javascript optional node-brace-expansion_2.0.1+~1.1.0-2.dsc
 ab1619368c8a14fee2ec65e7cd19f73a 3948 javascript optional node-brace-expansion_2.0.1+~1.1.0-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmhKpUYACgkQ9tdMp8mZ
7umncw//YPbxKMb7tbG95ifseCWTrhXzNRGjr9jdxwwtFE5eWbfgV2N8eTK1EWVK
MwhpS5uy2YlVNYYgqbi2d9XD5f9f0qhp0uqeby8q+TXAYK/TBQkrj7uflbFD/Q1W
+uQw1QU9XGDbMb3LVX1q718jKk4x49d+IDXAdhSU6QMghrfJ0oK7HLvxnMeiMIgX
Ohqklq6Ka21+CQyvEXhbalj0z49BNr5itC6E7r9/AXU41k7i40tDCbjXb0UM0X26
epjyPU4IZGSFfBFxNrK/+I8c4mbEAQhZew5EYLfHSLQZ6xmEd7PJRinhVTIFl4ht
hYyO0Cl/uQpkT2PmYAdXlVoqDc7EA9oxCpaGjQL5ok/qKPDPfSL+L5RRSghzpKIv
hC0eHKKL/Yz6NgMq669nmrmBxgBviMJxUCEoP8ofZyLaMpcZTZg45blcqZ9B/ph9
EZN1AuCksmrtrykMvTgfDB7bRMnyY3NmH4IILTFpRfEpF8hUahV7LPsHh2NOTN/E
qKYcwHExD1YNR6SE7lyRuLigaX47GxPtfUyyMCwWFT4NpEATxR6y7oYT0m/H8z8I
ZMa1+eB8weq1Foy4l9GyOR10fSe1xuDbK9AhSjagOVlup5p3G/LYa63HIBq2nwu1
AfgzftGNtomrKzYlzs0eZxG4VKD7uv8TZN8L1CCMugiBvUP7s8k=
=1kTL
-----END PGP SIGNATURE-----