Your message dated Mon, 06 Apr 2026 10:19:12 +0000
with message-id <[email protected]>
and subject line Bug#1127313: fixed in node-brace-expansion 2.0.3+~1.1.2-2
has caused the Debian Bug report #1127313,
regarding node-brace-expansion: CVE-2026-25547
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1127313: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127313
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-brace-expansion
Version: 2.0.1+~1.1.0-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-brace-expansion.
CVE-2026-25547[0]:
| @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of
| brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is
| vulnerable to a denial of service (DoS) issue caused by unbounded
| brace range expansion. When an attacker provides a pattern
| containing repeated numeric brace ranges, the library attempts to
| eagerly generate every possible combination synchronously. Because
| the expansion grows exponentially, even a small input can consume
| excessive CPU and memory and may crash the Node.js process. This
| issue has been patched in version 5.0.1.
Note the issue was announced/fixed in the isaacs/brace-expansion fork,
but is present in the original forked code as well, AFAICS.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-25547
https://www.cve.org/CVERecord?id=CVE-2026-25547
[1]
https://github.com/isaacs/brace-expansion/security/advisories/GHSA-7h2j-956f-4vf2
[2]
https://github.com/isaacs/brace-expansion/commit/59d12f1e23accdec8c395ca824cf942c1fdea860
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-brace-expansion
Source-Version: 2.0.3+~1.1.2-2
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-brace-expansion, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-brace-expansion
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 06 Apr 2026 11:52:07 +0200
Source: node-brace-expansion
Architecture: source
Version: 2.0.3+~1.1.2-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1127313
Changes:
node-brace-expansion (2.0.3+~1.1.2-2) unstable; urgency=medium
.
* Team upload
* Declare compliance with policy 4.7.4
* Fix DoS via exponential brace expansion (Closes: #1127313, CVE-2025-29770)
Checksums-Sha1:
c0952ba9a70618c4f29da05c99d0d69a4b3b8b6e 2578
node-brace-expansion_2.0.3+~1.1.2-2.dsc
bafcbdcffbbcfac526f025c0351e94031ec8ee7c 4596
node-brace-expansion_2.0.3+~1.1.2-2.debian.tar.xz
Checksums-Sha256:
b66eb4e2ad9cd961017d12962df54e1a184c9e6c11036acc1b94ee719ab9d27e 2578
node-brace-expansion_2.0.3+~1.1.2-2.dsc
90c3f65af4ba2ef80498f734e5040733096ae4b576bcefe0df8a0d815a9dec85 4596
node-brace-expansion_2.0.3+~1.1.2-2.debian.tar.xz
Files:
7bf8e6a998609baf1a6672f162575d3a 2578 javascript optional
node-brace-expansion_2.0.3+~1.1.2-2.dsc
70dafd688a6509d116fd5f7144285c2f 4596 javascript optional
node-brace-expansion_2.0.3+~1.1.2-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmnTgoAACgkQ9tdMp8mZ
7um/PA/9FeB4FyDoNsW3PXKOBW2oYRylnbpHA4a21mydU/0kqVm8JcCtaspwcf58
b8gvn3XJWKuPyGqIcuwGu97z8TE5VkGRgdBkIvRAgSqJEwDuL+HEIqlfqe4O+AM5
/MZ02KTkqhXF/OXvUPvC4nyaJYYozUaGac7GvfEf3SVIt9/0KW+WAh8QhTY5DPiG
GUZXc5yPs5oiSXhHdquoskKowAD+RY7kQIlGLAAaOLvfXCDU5U0MZQjCfjCXEAPT
8bOvSreE5pKRbQ6hYjnRiS4eESprgXBdDu1kmOpB9UmP80ukj2Vq4n5aFwlzDsbz
ttIMXgjGSyXY8BPrgTBesbYLCY7Sxk7tdfUJZix6mFUcWVT9RGConO3xAVt8PtJz
IFQEh0TUUUREZFIaB2h+F/3JUUcHIipdl+wiKU1L4ZygoZ/sEdOViCvP8wCBdihp
+o8xA+7faCYcQhF0TDh+I3pWyyPzsYjnlJA6wLjwtEci+Dzoy19ZADjsGGpPYxQb
oqnYypLp/aeceiIjEze2PonKeX7komGO0aStHnLMckvCIm73ftaZa1DVPvAjokO/
RuYKN/fAX5jL51SFQyXw4PKiCilN5QdJdEaQau6CarVCbYJ5afQBUZ+CiOGcmIrC
C/5mryWfNlFBBIB5m7u9dl33JWQlbu5eupcP7e3mZozEfch0VXI=
=Ul80
-----END PGP SIGNATURE-----
pgpwN2vAA_ZbB.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
