CVE-2026-33750
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 2,867 npm packages depend on brace-expansion (65 direct, 2,826 indirect)
Ecosystem-wide dependent count for version 4.0.0.
DescriptionGitHub Advisory
Impact
A brace pattern with a zero step value (e.g., {1..2..0}) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory.
The loop in question:
https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184
test() is one of
https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113
The increment is computed as Math.abs(0) = 0, so the loop variable never advances. On a test machine, the process hangs for about 3.5 seconds and allocates roughly 1.9 GB of memory before throwing a RangeError. Setting max to any value has no effect because the limit is only checked at the output combination step, not during sequence generation.
This affects any application that passes untrusted strings to expand(), or by error sets a step value of 0. That includes tools built on minimatch/glob that resolve patterns from CLI arguments or config files. The input needed is just 10 bytes.
Patches
Upgrade to versions
- 5.0.5+
A step increment of 0 is now sanitized to 1, which matches bash behavior.
Workarounds
Sanitize strings passed to expand() to ensure a step value of 0 is not used.
AnalysisAI
Brace-expansion library versions prior to 5.0.5 allow unauthenticated remote attackers to cause denial of service through resource exhaustion by supplying brace expansion patterns with zero step values (e.g., {1..2..0}), triggering an infinite loop that consumes gigabytes of memory and hangs the process for seconds. The vulnerability affects any application passing untrusted input to the expand() function, including glob/minimatch-based tools consuming CLI arguments or configuration files, and requires only 10 bytes of malicious input to trigger.
Technical ContextAI
The brace-expansion library (pkg:npm/brace-expansion) implements bash-style brace expansion pattern processing. The root cause is classified as CWE-400 (Uncontrolled Resource Consumption) and stems from a sequence generation loop in src/index.ts (line 184) that fails to validate step increment values. When a step value of 0 is provided in a range pattern, the increment is computed as Math.abs(0) = 0, causing the loop variable to never advance and the test() condition to never terminate. The vulnerability exists because validation occurs only at the output combination stage rather than during sequence generation, allowing unbounded memory allocation during the infinite loop phase.
RemediationAI
Upgrade the brace-expansion package to version 5.0.5 or later, where step increment values of 0 are now sanitized to 1, matching bash behavior. For applications unable to immediately upgrade dependencies, implement input sanitization at the application level to reject or normalize brace expansion patterns containing explicit zero step values before passing them to the expand() function. Additionally, consider restricting pattern expansion to trusted sources and implementing timeouts on pattern expansion operations to fail safely if resource consumption exceeds thresholds. Review all direct and transitive dependencies on brace-expansion via dependency auditing tools and update package-lock.json or yarn.lock files after patching.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today