CVE-2018-1109: Regular Expression Denial of Service (ReDoS) in braces

January 6, 2022 (updated November 26, 2025)

A vulnerability was found in Braces versions from v2.2.0 up to but not including v2.3.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. This has been patched in version 2.3.1.

References

bugzilla.redhat.com/show_bug.cgi?id=1547272
github.com/advisories/GHSA-cwfw-4gq5-mrqx
github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451
nvd.nist.gov/vuln/detail/CVE-2018-1109
snyk.io/vuln/npm:braces:20180219

Code Behaviors & Features

Detect and mitigate CVE-2018-1109 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →