[BUG] v10 bundled dependency `brace-expansion@2.0.1` is vulnerable to ReDoS

[mhassan1]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

When I run npm audit in a project containing npm@10, I see:

# npm audit report

brace-expansion  2.0.0 - 2.0.1
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
fix available via `npm audit fix`
node_modules/npm/node_modules/brace-expansion

1 low severity vulnerability

To address all issues, run:
  npm audit fix

When I run npm audit fix, I see:

npm warn audit fix brace-expansion@2.0.1 node_modules/npm/node_modules/brace-expansion
npm warn audit fix brace-expansion@2.0.1 is a bundled dependency of
npm warn audit fix brace-expansion@2.0.1 npm@10.9.2 at node_modules/npm
npm warn audit fix brace-expansion@2.0.1 It cannot be fixed automatically.
npm warn audit fix brace-expansion@2.0.1 Check for updates to the npm package.

Expected Behavior

No npm audit findings in npm

Steps To Reproduce

1. npm install npm@10
2. npm audit

Environment

• npm: 10.9.2
• Node.js: 22.15.1
• OS Name: OS X
• System Model Name: Macbook Pro
• npm config: N/A

[mhadi512]

It has been unfixed for almost a week.

It's inside minimatch package. currently used version is 9.0.5.

here is my npm ls output:
npm@10.9.2
└─ minimatch@9.0.5
└─ brace-expansion@2.0.1 ← vulnerable

Unfortunately, minimatch didn't update deps, v9.0.5 is the latest in v9.x.x. The next version is v10 (which uses brace-expansion v4)

[ljharb]

What’s the code path this is used in, though? ReDOS vulns are often false positives when they’re self-attacks.

[MikeMcC399]

This issue is producing an unfixable low vulnerability warning also when using semantic-release@24.2.5 (current latest):

Steps to reproduce

cd $(mktemp -d)
npm init -y
npm install semantic-release@latest
npm audit fix

Logs

$ npm audit fix
npm warn audit fix brace-expansion@2.0.1 node_modules/npm/node_modules/brace-expansion
npm warn audit fix brace-expansion@2.0.1 is a bundled dependency of
npm warn audit fix brace-expansion@2.0.1 npm@10.9.2 at node_modules/npm
npm warn audit fix brace-expansion@2.0.1 It cannot be fixed automatically.
npm warn audit fix brace-expansion@2.0.1 Check for updates to the npm package.

up to date, audited 495 packages in 3s

100 packages are looking for funding
  run `npm fund` for details

# npm audit report

brace-expansion  2.0.0 - 2.0.1
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
fix available via `npm audit fix`
node_modules/npm/node_modules/brace-expansion

1 low severity vulnerability

To address all issues, run:
  npm audit fix

• Edit: reported also in brace-expansion@2.0.1 unfixable low vulnerability (CVE-2025-5889) semantic-release/npm#966

[mhadi512]

Since I'm using Yarn, and I'm quite sure my app wont use this global package, I fixed it temporary by removing brace-expansion directory.

I added this line in my dockerfile:

# TODO Remove the below line when a new node image is released that includes a fix for the brace-expansion vulnerability
RUN rm -rf /usr/local/lib/node_modules/npm/node_modules/brace-expansion

[MikeMcC399]

Can the update to brace-expansion@2.0.2 be backported to npm@10.x or is that not possible?

npm@11.4.2 updated to brace-expansion@2.0.2 and fixed this issue in npm@11.x

[MikeMcC399]

This should be fixed through PR #8378 in v10.9.3

[MikeMcC399]

@mhassan1

Will you close this issue now?

Your steps to reproduce, that now install npm@10.9.3, no longer show any audit issue (0 vulnerabilities):

Steps

cd $(mktemp -d)
npm install npm@10
npm audit fix
npm ls

Logs

$ cd $(mktemp -d)
npm install npm@10
npm audit fix
npm ls

added 1 package in 2s

25 packages are looking for funding
  run `npm fund` for details

up to date, audited 210 packages in 1s

25 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
tmp.q9gBlDx9eM@ /tmp/tmp.q9gBlDx9eM
└── npm@10.9.3

(The semantic-release issue I mentioned has also been fixed.)