What is CVE-2025-5889?

CVE-2025-5889 is a low-severity vulnerability in Juliangruber Brace-expansion, classified under Uncontrolled Resource Consumption. CVSS score: 3.1/10. Published 2025-06-09.

How severe is CVE-2025-5889?

Low severity. CVSS v3 base score is 3.1 out of 10.

Is CVE-2025-5889 known to be exploited?

7 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Resource exhaustion in Juliangruber Brace-expansion

CVE-2025-5889

A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular e…

Vulnerability class: DoS (Denial of Service)

EPSS: 0.001 (25.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 3.1 (Low). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L.

Affected products

Juliangruber Brace-expansion — versions 1.1.0, 1.1.1, 1.1.2

Weakness classification (CWE)

Public proof-of-concept exploits

References

VDB-311660 | juliangruber brace-expansion index.js expand redos (technical-description, vdb-entry)
VDB-311660 | CTI Indicators (IOB, IOC, TTP, IOA) (signature, permissions-required)
Submit #585717 | juliangruber @juliangruber/brace-expansion 1.1.11 Inefficient Regular Expression Complexity (third-party-advisory)
cna@vuldb.com (exploit)
cna@vuldb.com (issue-tracking, patch)
cna@vuldb.com (patch)

Frequently asked questions

What is CVE-2025-5889?: CVE-2025-5889 is a low-severity vulnerability in Juliangruber Brace-expansion, classified under Uncontrolled Resource Consumption. CVSS score: 3.1/10. Published 2025-06-09.
How severe is CVE-2025-5889?: Low severity. CVSS v3 base score is 3.1 out of 10.
Is CVE-2025-5889 known to be exploited?: 7 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.