Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-reachable via apps that pass untrusted input to expand(); no auth or interaction; only availability is impacted via memory/CPU exhaustion, so C:N/I:N/A:H.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
7DescriptionNVD
The max option was being applied too late:
When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 million intermediate elements before the max limit is applied With max=10, the output is correctly limited to 10 items, but the process still allocates ~505 MB and spends ~800ms building the full intermediate array.
Workaround
Ensure the string to be expanded doesn't contain more values than the desired max item count.
AnalysisAI
{1..10000000} allocates roughly 505 MB and burns ~800 ms even when max=10`, defeating the intended DoS protection. No public exploit identified at time of analysis and EPSS is very low (0.03%), but a vendor-released patch (5.0.6) and a GitHub Security Advisory (GHSA-jxxr-4gwj-5jf2) are available.
Technical ContextAI
brace-expansion is a widely used npm package that implements Bash-style brace expansion (e.g. {a,b,c}, {1..10}) and is a transitive dependency of minimatch, glob, and much of the Node.js tooling ecosystem. The library exposes a max option specifically to cap the number of expansions and prevent resource exhaustion, but in the affected releases the numeric-range branch of expand_() in src/index.ts builds the entire intermediate array via a for (let i = x; test(i, y); i += incr) loop and only truncates afterwards. This is a textbook CWE-400 (Uncontrolled Resource Consumption) algorithmic-complexity flaw: the work is linear in the requested range rather than in max, so a tiny input string can drive O(N) memory and CPU regardless of caller-supplied safety limits. The fix adds && N.length < max to the loop guard so iteration stops as soon as the cap is reached.
RemediationAI
Vendor-released patch: upgrade brace-expansion to 5.0.6 or later, which adds the N.length < max guard to the numeric-range loop (commit c0b095bdc52bc4c36dc88deddbadabc49f8371e5); see the GitHub Security Advisory at https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-jxxr-4gwj-5jf2. For applications that pull brace-expansion transitively, use npm ls brace-expansion to locate the vulnerable copies and pin via package-manager overrides/resolutions (overrides in npm, resolutions in Yarn/pnpm) until parent packages such as minimatch/glob ship updated ranges. If patching is not immediately possible, the vendor-documented workaround is to validate or sanitize input strings before calling expand() so they cannot contain a numeric range larger than the desired max item count - e.g. reject inputs containing {N..M} where M-N exceeds a small threshold, or strip brace-range syntax entirely; the trade-off is that legitimate large ranges from trusted callers will also be rejected, and a regex-based pre-check adds its own parsing cost.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33442
GHSA-jxxr-4gwj-5jf2