CVE-2025-5889: 
JavaScript vulnerability analysis and mitigation

A vulnerability was discovered in juliangruber brace-expansion up to versions 1.1.11/2.0.1/3.0.0/4.0.0, identified as CVE-2025-5889. The vulnerability affects the expand function in the index.js file and involves inefficient regular expression complexity. The issue was disclosed on June 9, 2025, and has been rated as problematic (NVD, CVE).

The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption) and CWE-1333 (Inefficient Regular Expression Complexity). It has received a CVSS v3.1 Base Score of 3.1 (LOW) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L. The CVSS v4.0 score is 2.3 (LOW) with the vector string CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P (NVD).

The vulnerability can lead to a denial-of-service condition through inefficient regular expression processing. While the vulnerability has no direct impact on confidentiality or integrity, it can affect the availability of the system (Wiz).

A patch has been released with the commit a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. Users are recommended to upgrade to versions 1.1.12, 2.0.2, 3.0.1, or 4.0.1 to address this issue (Github Release).