Low severityNVD Advisory· Published Mar 30, 2021· Updated Dec 1, 2025

CVE-2018-1109

Description

A vulnerability was found in Braces versions 2.2.0 and above, prior to 2.3.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Braces versions 2.2.0 to 2.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via a crafted input.

Vulnerability

Overview

CVE-2018-1109 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting the Braces npm package, versions 2.2.0 through 2.3.0. The flaw resides in the lib/parsers.js file, where a regular expression used to match brace patterns can be forced into catastrophic backtracking when processing specially crafted input strings [1][3].

Exploitation

Mechanics

An attacker can trigger the vulnerability by providing a maliciously crafted string that causes the regex engine to take exponential time to evaluate. The vulnerable regex in the multiplier parser was identified and subsequently optimized in commit abdafb0cae, where the pattern was simplified to reduce the risk of backtracking [4]. No authentication or special network position is required if the application processes user-supplied brace patterns.

Impact

Successful exploitation leads to a denial of service condition, where the Node.js process becomes unresponsive or extremely slow, potentially impacting the availability of the application or service using the Braces library. This class of attack is known as ReDoS and can be used to degrade or deny service to legitimate users [2].

Mitigation and

Status

The vulnerability was patched in Braces version 2.3.1. Users should upgrade to that version or later to eliminate the risk. The Red Hat bug tracker notes this issue is closed as NOTABUG from their perspective, but the upstream fix is available and recommended [3].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
bracesnpm	>= 2.2.0, < 2.3.1	2.3.1

Affected products

Braces/Bracesdescription
ghsa-coords
pkg:npm/braces
Range: >= 2.2.0, < 2.3.1

Patches

abdafb0cae1e

optimize regex

https://github.com/micromatch/bracesjonschlinkertFeb 16, 2018via ghsa

commit

1 file changed · +1 −1

lib/parsers.js+1 −1 modified

@@ -127,7 +127,7 @@ module.exports = function(braces, options) {
     .set('multiplier', function() {
       var isInside = this.isInside('brace');
       var pos = this.position();
-      var m = this.match(/^\{(,+(?:(\{,+\})*),*|,*(?:(\{,+\})*),+)\}/);
+      var m = this.match(/^\{((?:,|\{,+\})+)\}/);
       if (!m) return;
 
       this.multiplier = true;

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-cwfw-4gq5-mrqxghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2018-1109ghsaADVISORY
bugzilla.redhat.com/show_bug.cgighsax_refsource_MISCWEB
github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451ghsaWEB
snyk.io/vuln/npm:braces:20180219ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000