Skip to main content

CVE-2026-33750

MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-03-26 https://github.com/juliangruber/brace-expansion
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Red Hat
6.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 26, 2026 - 18:30 vuln.today
CVE Published
Mar 26, 2026 - 18:29 nvd
MEDIUM 6.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2,867 npm packages depend on brace-expansion (65 direct, 2,826 indirect)

Ecosystem-wide dependent count for version 4.0.0.

DescriptionGitHub Advisory

Impact

A brace pattern with a zero step value (e.g., {1..2..0}) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory.

The loop in question:

https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184

test() is one of

https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113

The increment is computed as Math.abs(0) = 0, so the loop variable never advances. On a test machine, the process hangs for about 3.5 seconds and allocates roughly 1.9 GB of memory before throwing a RangeError. Setting max to any value has no effect because the limit is only checked at the output combination step, not during sequence generation.

This affects any application that passes untrusted strings to expand(), or by error sets a step value of 0. That includes tools built on minimatch/glob that resolve patterns from CLI arguments or config files. The input needed is just 10 bytes.

Patches

Upgrade to versions

  • 5.0.5+

A step increment of 0 is now sanitized to 1, which matches bash behavior.

Workarounds

Sanitize strings passed to expand() to ensure a step value of 0 is not used.

AnalysisAI

Brace-expansion library versions prior to 5.0.5 allow unauthenticated remote attackers to cause denial of service through resource exhaustion by supplying brace expansion patterns with zero step values (e.g., {1..2..0}), triggering an infinite loop that consumes gigabytes of memory and hangs the process for seconds. The vulnerability affects any application passing untrusted input to the expand() function, including glob/minimatch-based tools consuming CLI arguments or configuration files, and requires only 10 bytes of malicious input to trigger.

Technical ContextAI

The brace-expansion library (pkg:npm/brace-expansion) implements bash-style brace expansion pattern processing. The root cause is classified as CWE-400 (Uncontrolled Resource Consumption) and stems from a sequence generation loop in src/index.ts (line 184) that fails to validate step increment values. When a step value of 0 is provided in a range pattern, the increment is computed as Math.abs(0) = 0, causing the loop variable to never advance and the test() condition to never terminate. The vulnerability exists because validation occurs only at the output combination stage rather than during sequence generation, allowing unbounded memory allocation during the infinite loop phase.

RemediationAI

Upgrade the brace-expansion package to version 5.0.5 or later, where step increment values of 0 are now sanitized to 1, matching bash behavior. For applications unable to immediately upgrade dependencies, implement input sanitization at the application level to reject or normalize brace expansion patterns containing explicit zero step values before passing them to the expand() function. Additionally, consider restricting pattern expansion to trusted sources and implementing timeouts on pattern expansion operations to fail safely if resource consumption exceeds thresholds. Review all direct and transitive dependencies on brace-expansion via dependency auditing tools and update package-lock.json or yarn.lock files after patching.

Vendor StatusVendor

Share

CVE-2026-33750 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy