Skip to main content

brace-expansion CVE-2026-45149

| EUVDEUVD-2026-33442 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-05-18 https://github.com/juliangruber/brace-expansion GHSA-jxxr-4gwj-5jf2
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Network-reachable via apps that pass untrusted input to expand(); no auth or interaction; only availability is impacted via memory/CPU exhaustion, so C:N/I:N/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Updated
Jun 12, 2026 - 18:58 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 12, 2026 - 18:58 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 12, 2026 - 18:52 vuln.today
cvss_changed
Severity Changed
Jun 12, 2026 - 18:52 NVD
MEDIUM HIGH
CVSS changed
Jun 12, 2026 - 18:52 NVD
6.5 (MEDIUM) 7.5 (HIGH)
Source Code Evidence Fetched
May 18, 2026 - 17:01 vuln.today
Analysis Generated
May 18, 2026 - 17:01 vuln.today

DescriptionNVD

The max option was being applied too late:

When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 million intermediate elements before the max limit is applied With max=10, the output is correctly limited to 10 items, but the process still allocates ~505 MB and spends ~800ms building the full intermediate array.

Workaround

Ensure the string to be expanded doesn't contain more values than the desired max item count.

AnalysisAI

{1..10000000} allocates roughly 505 MB and burns ~800 ms even when max=10`, defeating the intended DoS protection. No public exploit identified at time of analysis and EPSS is very low (0.03%), but a vendor-released patch (5.0.6) and a GitHub Security Advisory (GHSA-jxxr-4gwj-5jf2) are available.

Technical ContextAI

brace-expansion is a widely used npm package that implements Bash-style brace expansion (e.g. {a,b,c}, {1..10}) and is a transitive dependency of minimatch, glob, and much of the Node.js tooling ecosystem. The library exposes a max option specifically to cap the number of expansions and prevent resource exhaustion, but in the affected releases the numeric-range branch of expand_() in src/index.ts builds the entire intermediate array via a for (let i = x; test(i, y); i += incr) loop and only truncates afterwards. This is a textbook CWE-400 (Uncontrolled Resource Consumption) algorithmic-complexity flaw: the work is linear in the requested range rather than in max, so a tiny input string can drive O(N) memory and CPU regardless of caller-supplied safety limits. The fix adds && N.length < max to the loop guard so iteration stops as soon as the cap is reached.

RemediationAI

Vendor-released patch: upgrade brace-expansion to 5.0.6 or later, which adds the N.length < max guard to the numeric-range loop (commit c0b095bdc52bc4c36dc88deddbadabc49f8371e5); see the GitHub Security Advisory at https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-jxxr-4gwj-5jf2. For applications that pull brace-expansion transitively, use npm ls brace-expansion to locate the vulnerable copies and pin via package-manager overrides/resolutions (overrides in npm, resolutions in Yarn/pnpm) until parent packages such as minimatch/glob ship updated ranges. If patching is not immediately possible, the vendor-documented workaround is to validate or sanitize input strings before calling expand() so they cannot contain a numeric range larger than the desired max item count - e.g. reject inputs containing {N..M} where M-N exceeds a small threshold, or strip brace-range syntax entirely; the trade-off is that legitimate large ranges from trusted callers will also be rejected, and a regex-based pre-check adds its own parsing cost.

Vendor StatusVendor

Share

CVE-2026-45149 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy