sass-1.94.0.tgz: 1 vulnerabilities (highest severity is: 8.6)

[mend-bolt-for-github]

Vulnerable Library - sass-1.94.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Found in HEAD commit: 3811cacd28882076999131bc67f240b76b2f39ee

Vulnerabilities

Vulnerability	Severity	CVSS	Dependency	Type	Fixed in (sass version)	Remediation Possible**
CVE-2026-25547	High	8.6	brace-expansion-5.0.0.tgz	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2026-25547

Vulnerable Library - brace-expansion-5.0.0.tgz

Brace expansion as known from sh/bash

Library home page: https://registry.npmjs.org/@isaacs/brace-expansion/-/brace-expansion-5.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• sass-1.94.0.tgz (Root Library)
  • watcher-2.4.1.tgz
    • node-gyp-12.1.0.tgz
      • make-fetch-happen-15.0.3.tgz
        • cacache-20.0.3.tgz
          • glob-13.0.0.tgz
            • minimatch-10.1.1.tgz
              • ❌ brace-expansion-5.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 3811cacd28882076999131bc67f240b76b2f39ee

Found in base branch: main

Vulnerability Details

@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.

Publish Date: 2026-02-04

URL: CVE-2026-25547

CVSS 3 Score Details (8.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-02-04

Fix Resolution: https://github.com/isaacs/brace-expansion.git - v5.0.1

Step up your Open Source Security Game with Mend here

[mend-bolt-for-github]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-bolt-for-github]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

[mend-bolt-for-github]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.