GMS-2019-117: Regular Expression Denial of Service in braces

June 6, 2019 (updated August 4, 2021)

Versions of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Recommendation

Upgrade to version 2.3.1 or higher.

References

github.com/advisories/GHSA-g95f-p29q-9xw4
github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451
snyk.io/vuln/npm:braces:20180219
www.npmjs.com/advisories/786

Code Behaviors & Features

Detect and mitigate GMS-2019-117 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →