Brace Expansion Library Denial-of-Service Vulnerability via Zero-Step Sequence

A denial-of-service vulnerability has been identified in the brace-expansion library, affecting versions prior to 5.0.5, as well as 3.0.2, 2.0.3, and 1.1.13. The issue arises when a brace pattern with a zero step value, such as '{1..2..0}', is used. This causes the sequence generation loop to run indefinitely, leading to a process hang of several seconds and excessive memory allocation. The vulnerability can be exploited by passing untrusted strings to the 'expand()' function' or inadvertently setting a step value of zero. This behavior is particularly problematic in applications that use minimatch or glob patterns sourced from command-line arguments or configuration files.

Impact

Exploitation of this vulnerability causes the application to hang for several seconds and consume a significant amount of memory, approximately 1.9 GB, before throwing a RangeError. This behavior can disrupt normal application functioning and potentially lead to application crashes.

Reproduction

To reproduce this vulnerability, use a brace pattern with a zero step value in a version of the brace-expansion library that is prior to 5.0.5, 3.0.2, 2.0.3, or 1.1.13. The 'expand()' function will hang indefinitely and consume excessive memory until a RangeError is thrown.

Remediation

Users can upgrade to brace-expansion versions 5.0.5, 3.0.2, 2.0.3, or 1.1.13, all of which include the necessary fix. After updating, it's recommended to sanitize any strings passed to the 'expand()' function' to ensure that a zero step value is not used.