CVE-2018-1109 — Regular Expression Denial of Service (ReDoS) in braces

Description

A vulnerability was found in Braces versions from v2.2.0 up to but not including v2.3.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. This has been patched in version 2.3.1.

How to fix CVE-2018-1109

To remediate CVE-2018-1109, upgrade the affected package to a fixed version below.

npm/braces—upgrade to 2.3.1 or later

Is CVE-2018-1109 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 2.2.0, < 2.3.1

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-1109
WEBbugzilla.redhat.com/show_bug.cgi?id=1547272
WEBgithub.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451
WEBsnyk.io/vuln/npm:braces:20180219