Skip to content

THIR-833 [Aikido] CVE-2025-5889 brace-expansion Regular Expression Denial of Service vulnerability#250

Merged
jholden-scw merged 2 commits intov1from
THIR-833-potential-file-inclusion-attack-via-reading-file-due-date-28-jul-2025
Jul 30, 2025
Merged

THIR-833 [Aikido] CVE-2025-5889 brace-expansion Regular Expression Denial of Service vulnerability#250
jholden-scw merged 2 commits intov1from
THIR-833-potential-file-inclusion-attack-via-reading-file-due-date-28-jul-2025

Conversation

@jholden-scw
Copy link
Contributor

@jholden-scw jholden-scw commented Jul 24, 2025
edited
Loading

Update brace-expansion to mitigate CVE-2025-5889

@jholden-scw
THIR-833 Mitigate path traversal attack
0aa894f 
* Add protection from path traversal attacks
* Also update brace-expansion to mitigate CVE-2025-5889
@secure-code-warrior-for-github
Copy link

secure-code-warrior-for-github bot commented Jul 24, 2025

Micro-Learning Topic: Path traversal (Detected by phrase)

Matched on "path traversal"

What is this? (2min video)

Path traversal vulnerabilities occur when inputs that have not been sufficiently validated or sanitised are used to build directory or file paths. If an attacker can influence the path being accessed by the server, they may be able to gain unauthorised access to files or even execute arbitrary code on the server (when coupled with file upload functionality).

Try a challenge in Secure Code Warrior

Helpful references
  • OWASP Input Validation Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing injection and input validation flaws in your applications, including defence against path traversal.
  • OWASP Path Traversal - OWASP community page with comprehensive information about path traversal, and links to various OWASP resources to help detect or prevent it.

cwong-scw
cwong-scw requested changes Jul 25, 2025
View reviewed changes
Copy link
Contributor

@cwong-scw cwong-scw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For @vijaynscw to please validate but my take is that the inFilePath should specifically allow referencing parent directories.

@jholden-scw jholden-scw changed the title THIR-833 Mitigate path traversal attack THIR-833 [Aikido] CVE-2025-5889 brace-expansion Regular Expression Denial of Service vulnerability Jul 30, 2025
@secure-code-warrior-for-github
Copy link

secure-code-warrior-for-github bot commented Jul 30, 2025

Micro-Learning Topic: Regular expression denial of service (Detected by phrase)

Matched on "Regular Expression Denial of Service"

What is this? (2min video)

Denial of Service (DoS) attacks caused by Regular Expression which causes the system to hang or cause them to work very slowly when attacker sends a well-crafted input(exponentially related to input size).Denial of service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Denial of service (Detected by phrase)

Matched on "Denial of Service"

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service

Try a challenge in Secure Code Warrior

@jholden-scw jholden-scw merged commit a5ecf97 into v1 Jul 30, 2025
2 checks passed
@jholden-scw jholden-scw deleted the THIR-833-potential-file-inclusion-attack-via-reading-file-due-date-28-jul-2025 branch July 30, 2025 01:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cwong-scw cwong-scw cwong-scw approved these changes

@vijaynscw vijaynscw Awaiting requested review from vijaynscw

@simon-harloff-scw simon-harloff-scw Awaiting requested review from simon-harloff-scw

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jholden-scw @cwong-scw @vijaynscw