CVE-2025-5889

[frederi-co]

Hi,

Is there any plan to bum brace-expansion@2.0.1 to 2.0.2 to address CVE-2025-5889.

Rgds

{
"Target": "Node.js",
"Class": "lang-pkgs",
"Type": "node-pkg",
"Vulnerabilities": [
{
"VulnerabilityID": "",
"PkgID": "brace-expansion@2.0.1",
"PkgName": "brace-expansion",
"PkgPath": "opt/node/lib/node_modules/npm/node_modules/brace-expansion/package.json",
"PkgIdentifier": {
"PURL": "pkg:npm/brace-expansion@2.0.1",
"UID": "f7064848b69f9c00"
},
"InstalledVersion": "2.0.1",
"FixedVersion": "2.0.2, 1.1.12, 3.0.1, 4.0.1",
"Status": "fixed",
"Layer": {
"Digest": "sha256:07ac928e322a60aad69b8ace00c0df1352491c9e060d6f5fdc70ed63fb2e6337",
"DiffID": "sha256:2eac788af8f932875e7aad62c6becd316aefb825d6045fb9dcdb777a83d92ab3"
},

[MikeMcC399]

@frederi-co

You didn't mention which version of Node.js you are interested in. It's already fixed in the bundled version of npm in Node.js >= 24.3.0.

The low severity brace-expansion vulnerability CVE-2025-5889 was resolved in npm@11.4.2 and npm@10.9.3.

Node.js Release	Bundled npm	Fixed
20.19.4	10.8.2	NO
22.17.1	10.9.2	NO
24.4.1	11.4.2	YES

Workaround

For Node.js 20.x and 22.x versions you can update npm yourself as a workaround, instead of relying on the version of npm bundled with Node.js, for instance:

npm install npm@latest --global

[MikeMcC399]

See also PR #58847

[frederi-co]

Thanks, I am looking at Node20.x and 22.x

[MikeMcC399]

@frederi-co

Thanks, I am looking at Node20.x and 22.x

If you are able to update your local npm copy with npm install, then that would be your fastest solution.

If you are asking about a Node.js release with a fix, then I suggest you read #58847 which has moved the fix into Node.js 22.x staging waiting for the next release, and identifies an issue preventing backporting to Node.js 20.x.

[juanarbol]

This is not a Node.js bug. I'm closing this.

[MikeMcC399]

Node.js 22.18.0 updated to npm@10.9.3 which removes the low severity vulnerability CVE-2025-5889 in the Node.js 22.x bundle