[GHSA-v6h2-p8h4-qcjw] brace-expansion Regular Expression Denial of Service vulnerability #5701
Conversation
github-actions
bot
changed the base branch from
main
to
viceice/advisory-improvement-5701
viceice
left a comment
viceice
left a comment
There was a problem hiding this comment.
I don't want to change the CVSS, but couldn't submit the change 😕
| { | ||
| "type": "CVSS_V4", | ||
| "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" | ||
| "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N" |
There was a problem hiding this comment.
| "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N" | |
| "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" |
| "type": "CVSS_V3", | ||
| "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L" | ||
| }, | ||
| { |
There was a problem hiding this comment.
| { | |
| { | |
| "type": "CVSS_V3", | |
| "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L" | |
| }, | |
| { |
There was a problem hiding this comment.
Pull Request Overview
This PR updates the brace-expansion security advisory to adjust the severity metrics, refine the patched versions, and add database-specific metadata.
- Bumps the
modifiedtimestamp by one second - Removes the CVSS v3 entry and replaces the CVSS v4 vector string
- Replaces the single
last_affectedfield with a combinedfixedlist and addsdatabase_specific.last_known_affected_version_range
Comments suppressed due to low confidence (3)
advisories/github-reviewed/2025/06/GHSA-v6h2-p8h4-qcjw/GHSA-v6h2-p8h4-qcjw.json:12
- [nitpick] The CVSS v3 entry was removed, which could break integrations or dashboards that expect both v3 and v4 scores. Consider retaining the CVSS v3 vector for backward compatibility or document the rationale for its removal.
"type": "CVSS_V4"
advisories/github-reviewed/2025/06/GHSA-v6h2-p8h4-qcjw/GHSA-v6h2-p8h4-qcjw.json:14
- The CVSS v4 vector appears to use invalid metric keys (e.g.,
AT:N) and may not conform to the official CVSS v4.0 format. Please verify each metric (for example, Availability should beA:N) against the standard specification.
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N"
advisories/github-reviewed/2025/06/GHSA-v6h2-p8h4-qcjw/GHSA-v6h2-p8h4-qcjw.json:31
- Combining multiple patch versions into a single
fixedstring may lead to ambiguity and could violate the advisory schema. Please split each version range into its own entry or use a clearly defined range notation per schema guidelines.
"fixed": "^1.1.12, ^2.0.2, ^3.0.1, >=4.0.1"
|
linking what looks like the successor to this PR |
|
Thank you for your contribution to the Advisory Database @viceice! This PR was closed in error, but we've since reviewed the information provided and have made the relevant changes to GHSA-v6h2-p8h4-qcjw, and you should be able to see the updates immediately. We've included you on the advisory with an This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
Updates
Comments
Added patched versions
https://github.com/juliangruber/brace-expansion/releases