CVE-2025-5889

low

Published 2025-06-09 · Modified 2026-02-04

CVSS v3

3.1

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L

CVSS v2

2.1

VIR risk

3.1

Description

A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to upgrade the affected component.

Predictions

Exploit likelihood

42%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2025-5889

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2025-5889.html

OS impact

OS	Version	Status	Fixed in
sles		affected
debian	bookworm	affected
debian	bullseye	affected
debian	forky	fixed	`2.0.1+~1.1.0-2`
debian	sid	fixed	`2.0.1+~1.1.0-2`
debian	trixie	fixed	`2.0.1+~1.1.0-2`

Package impact

Ecosystem	Package	Vulnerable	Fixed
npm	brace-expansion	`>=2.0.0,<2.0.2`	`2.0.2`
npm	brace-expansion	`>=1.0.0,<1.1.12`	`1.1.12`
npm	brace-expansion	`>=3.0.0,<3.0.1`	`3.0.1`
npm	brace-expansion	`>=4.0.0,<4.0.1`	`4.0.1`

References

CWEs

CWE-400 CWE-1333

Verify integrity in audit chain (admin only). AS-IS.