CVE-2017-18077

unknown

Published 2018-01-29 · Modified 2023-11-08

CVSS v3

—

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2

—

VIR risk

—

Description

index.js in brace-expansion before 1.1.7 is vulnerable to Regular Expression Denial of Service (ReDoS) attacks, as demonstrated by an expand argument containing many comma characters.

Predictions

Exploit likelihood

30%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2017-18077

OS impact

OS	Version	Status	Fixed in
debian	bookworm	fixed	`1.1.8-1`
debian	bullseye	fixed	`1.1.8-1`
debian	forky	fixed	`1.1.8-1`
debian	sid	fixed	`1.1.8-1`
debian	trixie	fixed	`1.1.8-1`

Package impact

Ecosystem	Package	Vulnerable	Fixed
npm	brace-expansion	`<1.1.7`	`1.1.7`

References

https://nvd.nist.gov/vuln/detail/CVE-2017-18077
https://github.com/juliangruber/brace-expansion/issues/33
https://github.com/juliangruber/brace-expansion/pull/35
https://github.com/juliangruber/brace-expansion/pull/35/commits/b13381281cead487cbdbfd6a69fb097ea5e456c3
https://bugs.debian.org/862712
https://github.com/advisories/GHSA-832h-xg76-4gv6
https://github.com/juliangruber/brace-expansion
https://www.npmjs.com/advisories/338
https://security-tracker.debian.org/tracker/CVE-2017-18077

Verify integrity in audit chain (admin only). AS-IS.