Regular Expression Denial of Service (ReDoS)

[larrycameron80]

Regular Expression Denial of Service (ReDoS)
Vulnerable module: braces
Introduced through: [email protected]
Detailed paths
Introduced through: blockchain-wallet-client@blockchain/My-Wallet-V3#c0bf5615c862fb8d7ec5e3f5031c2998b8ddc690 › [email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected]
Overview
braces is a Bash-like brace expansion, implemented in JavaScript.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. It used a regular expression (^{(,+(?:({,+})),|,(?:({,+})),+)}) in order to detects empty braces. This can cause an impact of about 10 seconds matching time for data 50K characters long.