[GHSA-f886-m6hf-6m8v] brace-expansion: Zero-step sequence causes process hang and memory exhaustion#7395
Conversation
|
Hi there @juliangruber! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
github-actions
bot
changed the base branch from
main
to
Lokeninfinitypoint/advisory-improvement-7395
There was a problem hiding this comment.
Pull request overview
Updates the CVSS v3.1 vector for the brace-expansion GHSA advisory entry in the GitHub-reviewed advisory database.
Changes:
- Updates the CVSS v3.1 vector string under
severity.scorefor GHSA-f886-m6hf-6m8v.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| { | ||
| "type": "CVSS_V3", | ||
| "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" | ||
| "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H" |
There was a problem hiding this comment.
The updated CVSS vector appears inconsistent with the advisory details. The write-up describes a denial-of-service (hang/memory exhaustion) with no integrity impact, but the vector now sets I:L. Also, the described attack involves passing untrusted strings (often user-controlled) into expand(), which is commonly reachable over networked interfaces; switching AV from N to L likely understates the attack vector. Please re-verify the intended CVSS v3.1 metrics (e.g., I:N and confirm correct AV) against the source (GHSA/NVD) and update the vector accordingly.
| "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H" | |
| "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" |
Updates
Comments
commint