Brace Expansion
Monthly
{}' brace groups to the expand() function, whose recursion is exponential in the number of such groups. Because brace-expansion is a near-ubiquitous transitive dependency (notably via minimatch/glob), any application that feeds untrusted input to expand() directly or indirectly is exposed. No public exploit was identified at time of analysis, though the CVSS 4.0 threat metric (E:P) indicates proof-of-concept maturity; the issue is not in CISA KEV.
{}' brace groups to the expand() function, whose recursion is exponential in the number of such groups. Because brace-expansion is a near-ubiquitous transitive dependency (notably via minimatch/glob), any application that feeds untrusted input to expand() directly or indirectly is exposed. No public exploit was identified at time of analysis, though the CVSS 4.0 threat metric (E:P) indicates proof-of-concept maturity; the issue is not in CISA KEV.