Regular Expression Denial of Service (ReDoS)

[larrycameron80]

Regular Expression Denial of Service (ReDoS)
Vulnerable module: braces
Introduced through: react-scripts@2.1.1
Detailed paths
Introduced through: project-hydro-website@hydrogen-dev/projecthydro.org#ad6d285bec4814b92bb7397709fceb4e34f0efcd › react-scripts@2.1.1 › jest@23.6.0 › jest-cli@23.6.0 › micromatch@2.3.11 › braces@1.8.5
Introduced through: project-hydro-website@hydrogen-dev/projecthydro.org#ad6d285bec4814b92bb7397709fceb4e34f0efcd › react-scripts@2.1.1 › jest@23.6.0 › jest-cli@23.6.0 › jest-haste-map@23.6.0 › micromatch@2.3.11 › braces@1.8.5
Introduced through: project-hydro-website@hydrogen-dev/projecthydro.org#ad6d285bec4814b92bb7397709fceb4e34f0efcd › react-scripts@2.1.1 › jest@23.6.0 › jest-cli@23.6.0 › jest-config@23.6.0 › micromatch@2.3.11 › braces@1.8.5
Remediation: Upgrade to react-scripts@3.0.0.
…and 60 more

Overview
braces is a Bash-like brace expansion, implemented in JavaScript.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. It used a regular expression (^{(,+(?:({,+})),|,(?:({,+})),+)}) in order to detects empty braces. This can cause an impact of about 10 seconds matching time for data 50K characters long.