3.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-5889

GHSA ID

GHSA-v6h2-p8h4-qcjw

EPSS Score

0.16132%

CWE

CWE-400

Published

6/9/2025

Updated

6/10/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-5889

CVE-2025-5889:
brace-expansion Regular Expression Denial of Service Vulnerability

CVE-2025-5889 identifies a regular expression denial of service (ReDoS) vulnerability in the juliangruber brace-expansion npm package that enables attackers to cause service disruption through inefficient regular expression complexity in the expand function processing. This vulnerability affects brace-expansion versions 1.1.0 through 1.1.11, 2.0.0 through 2.0.1, 3.0.0, and 4.0.0, achieving a CVSS score of 3.1 (Low severity) with EPSS percentile of 16.1 indicating moderate exploit risk for Node.js applications that utilize brace expansion functionality for shell-style pattern matching. The vulnerability details reveal that improper regular expression patterns in the expand function allow attackers to craft malicious input strings that trigger exponential backtracking behavior, creating substantial exploit risk for applications processing user-controlled brace expansion patterns and affecting application availability without impacting data confidentiality or integrity. The root cause analysis reveals that the vulnerability stems from an inefficient regular expression pattern /,.}/ in the expand function that enables catastrophic backtracking attacks, classified as CWE-400 (Uncontrolled Resource Consumption) and CWE-1333 (Inefficient Regular Expression Complexity). The vulnerability specifically affects regular expression processing where the original pattern allowed for excessive computational complexity when parsing specially crafted brace expansion patterns, enabling attackers to trigger known exploited vulnerabilities through malformed input. Mitigation steps require upgrading to patched brace-expansion versions 1.1.12, 2.0.2, 3.0.1, or 4.0.1 which implement optimized regular expression patterns /,(?!,).}/ that prevent catastrophic backtracking while maintaining functional equivalence. Organizations should prioritize identifying Node.js applications using vulnerable brace-expansion versions, implement input validation and rate limiting for pattern processing functionality, monitor CPU usage patterns for ReDoS attack indicators, and maintain updated vulnerability database records to track similar regular expression complexity vulnerabilities that could compromise application availability through resource exhaustion attacks in JavaScript pattern matching libraries and broader security implications for applications processing untrusted user input patterns.

(GitHub Advisory)

3.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-5889

GHSA ID

GHSA-v6h2-p8h4-qcjw

EPSS Score

0.16132%

CWE

CWE-400

Published

6/9/2025

Updated

6/10/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
brace-expansion	npm	>= 2.0.1, <= 4.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a Regular Expression Denial of Service (ReDoS) in the brace-expansion npm package. The provided information explicitly states that the expand function in index.js is affected. I attempted to fetch structured commit information using get_commit_infos and get_commit_urls_from_pull_request, but these attempts failed. However, I was able to fetch the content of the commit page using fetch_url_content. This content included the diff for index.js, showing a change in a regular expression within the expand function. The original regex /,.*}/ was replaced by /,(?!,).*}/. This type of change is characteristic of a ReDoS fix, where an inefficient regex is replaced with a more performant one. The vulnerability description confirms that the issue is related to inefficient regular expression complexity. Therefore, the expand function is identified as the vulnerable function because it contained the problematic regex prior to the patch.

Vulnerable functions

expand

index.js

The function 'expand' in 'index.js' used an inefficient regular expression `/,.*}/` which could lead to a Regular Expression Denial of Service (ReDoS) when processing specially crafted input. An attacker could provide input that causes the regex engine to consume excessive resources, leading to a denial of service. The patch replaces this regex with a more efficient one `/,(?!,).*}/` to mitigate the vulnerability.

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *oun* in juli*n*ru**r *r***-*xp*nsion up to *.*.**. It **s ***n r*t** *s pro*l*m*ti*. *****t** *y t*is issu* is t** *un*tion *xp*n* o* t** *il* in**x.js. T** m*nipul*tion l***s to in***i*i*nt r**ul*r *xpr*ssion *ompl*xity. T** *tt

Reasoning

T** vuln*r**ility is * R**ul*r *xpr*ssion **ni*l o* S*rvi** (R**oS) in t** `*r***-*xp*nsion` npm p**k***. T** provi*** in*orm*tion *xpli*itly st*t*s t**t t** `*xp*n*` *un*tion in `in**x.js` is *****t**. I *tt*mpt** to **t** stru*tur** *ommit in*orm*t

3.1

Basic Information

Concerned about an active attack path?

CVE-2025-5889: brace-expansion Regular Expression Denial of Service Vulnerability

3.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-5889:
brace-expansion Regular Expression Denial of Service Vulnerability

Vulnerability Intelligence
Miggo AI