EIQ-2019-0010

ID	EIQ-2019-0010
CVE	-
Description	braces is vulnerable to regular expression denial of service
Date	08 Mar 2019
Severity	1 - LOW
CVSSv3 score	CVSSv3 score not available on NIST NVD.
Status	✅ 2.5.0
Assessment	braces Node.js module versions 2.3.0 and earlier are vulnerable to regular expression denial of service (ReDoS). A regular expression (^\{(,+(?:(\{,+\})*),*|,*(?:(\{,+\})*),+)\}) can be used to detect empty braces. This can result in a denial of service (CPU consumption).
Mitigation	Update to braces version 2.3.1 or later.
Affected versions	2.2.1 to 2.4.0 included.
Notes	For more information, see: npm braces advisory snyk report GitHub issue GitHub commit with the fix