MEDIUM 6.5

CVE-2026-45149: Brace-Expansion Library Resource Exhaustion DoS (CVSS 6.5)

The brace-expansion library, a utility for generating string sequences from patterns, has a performance handling flaw in versions 5.0.0 through 5.0.5. When users expand large numeric ranges—such as {1..10000000}—the library was constructing the entire intermediate sequence in memory before applying user-defined limits. This means even if you set a maximum output of 10 items, the library would still build all 10 million elements first, consuming roughly 505 MB of memory and 800 milliseconds of processing time before discarding them. The flaw is fixed in version 5.0.6 and later.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-400
Affected products
1 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

The brace-expansion library generates arbitrary strings containing a common prefix and suffix. From 5.0.0 to before 5.0.6, the max option was being applied too late. When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 million intermediate elements before the max limit is applied With max=10, the output is correctly limited to 10 items, but the process still allocates ~505 MB and spends ~800ms building the full intermediate array. This vulnerability is fixed in 5.0.6.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The brace-expansion library implements a sequence generator for bash-style brace patterns. The vulnerability stems from the order of operations: the max option constraint was applied in the output phase rather than during sequence generation. For numeric ranges specified as {start..end}, the code path allocates and populates a full intermediate array before truncating to the max limit. This represents a denial-of-service vector through uncontrolled resource consumption. The fix reorders the logic to respect the max constraint during generation, preventing allocation of unnecessary elements. CWE-400 (Uncontrolled Resource Consumption) applies.

Business impact

For applications embedding brace-expansion—particularly build systems, configuration processors, or templating engines—this flaw creates a denial-of-service risk. An attacker or malicious input could trigger expansion of extremely large ranges, starving the application of memory and CPU. Affected services may become unresponsive or crash. The impact is elevated in multi-tenant or public-facing services where input is less controlled. Internal build pipelines with untrusted job definitions also face exposure.

Affected systems

The juliangruber brace-expansion library versions 5.0.0 through 5.0.5 are vulnerable. Any application or library that depends on brace-expansion transitively is potentially affected if it processes user-supplied or untrusted pattern input. Common consumers include Node.js build tools, linters, and configuration file processors. Verify your application's dependency tree via package-lock.json or yarn.lock to confirm whether you import a vulnerable version, either directly or as a transitive dependency.

Exploitability

Exploitation requires the ability to supply crafted brace patterns as input to the affected library. If your application accepts user-controlled pattern strings—via CLI arguments, configuration files, API parameters, or file uploads—the attack surface is real. An attacker needs only to craft a simple pattern like {1..999999999} to trigger resource exhaustion. No authentication, complex setup, or specialized tools are required. The barrier to exploitation is low for any internet-facing service that parses or expands brace patterns. Notably, this vulnerability is not yet tracked in CISA's Known Exploited Vulnerabilities catalog.

Remediation

Upgrade brace-expansion to version 5.0.6 or later. This is a straightforward dependency update; no code changes to your application are required. For npm projects, run npm update or manually bump the version in package.json and run npm install. For Yarn users, run yarn upgrade. After updating, verify the new version is locked in your lock file and redeploy. If brace-expansion is a transitive dependency, check the parent package for an updated version that pulls in the patched dependency.

Patch guidance

Update to brace-expansion 5.0.6 or any subsequent version. Consult the official npm registry or GitHub releases page for the juliangruber/brace-expansion repository to confirm version availability and release notes. If you maintain a private package mirror, ensure 5.0.6 is available before upgrading. For organizations with strict change management, treat this as a low-risk patch suitable for automated or expedited deployment pipelines, as it addresses a clear resource-exhaustion issue with a straightforward fix.

Detection guidance

Audit your dependency tree using npm ls brace-expansion or yarn why brace-expansion to identify whether you depend on a vulnerable version. Implement continuous scanning of package.json and lock files via Software Composition Analysis (SCA) tools—such as Snyk, npm audit, or your SIEM's dependency plugin—to alert on future versions of brace-expansion below 5.0.6. In production, monitor for abnormal CPU and memory spikes coinciding with application restarts or errors; brace-expansion DoS may trigger OOM kills or timeouts in logs. If feasible, instrument pattern-expansion calls to log input size and execution time, enabling detection of anomalously large range requests.

Why prioritize this

This vulnerability merits patching within a standard 30-day cycle. The CVSS score of 6.5 (MEDIUM) reflects high availability impact but no confidentiality or integrity breach. The lack of KEV status indicates limited real-world weaponization to date, reducing urgency. However, the low complexity of exploitation and ubiquity of Node.js dependencies make it a reasonable target for opportunistic attackers. Prioritize if brace-expansion is used in customer-facing services or build infrastructure; defer if limited to isolated development environments. The fix is trivial to deploy, favoring expedited action.

Risk score, explained

CVSS 6.5 is assigned: AV:N (Network-accessible), AC:L (Low attack complexity), PR:N (No privileges required), UI:R (User interaction required—attacker must cause the app to process a malicious pattern), S:U (Scope unchanged), C:N (No confidentiality impact), I:N (No integrity impact), A:H (High availability impact via resource exhaustion). The high availability score reflects the uncontrolled memory and CPU consumption. User interaction requirement moderates the score; the attacker cannot passively trigger the flaw but must influence input handling.

Frequently asked questions

How do I know if my application uses brace-expansion?

Check your package.json for a direct 'brace-expansion' dependency, or run npm ls brace-expansion in your project root to see the full dependency tree. If not listed at the top level, it may be a transitive dependency pulled in by another package. npm audit will also flag vulnerable versions.

Does upgrading to 5.0.6 require any application code changes?

No. The fix is entirely internal to the library. Upgrade the version in package.json or via npm update, reinstall dependencies, and redeploy. No refactoring or testing of your own code is necessary.

What input patterns trigger this vulnerability?

Any large numeric range pattern, such as {1..10000000} or {0..100000000}, will cause the library to allocate memory and CPU proportional to the range size before applying the max limit. Even a seemingly innocent configuration file or template that includes such a pattern—especially if user-supplied—can trigger the issue.

Is there a workaround if I cannot upgrade immediately?

If upgrading is blocked, sanitize or limit the size of numeric ranges before passing them to brace-expansion. For example, reject patterns with ranges exceeding a threshold (e.g., {a..b} where b-a > 10000). However, upgrading is strongly preferred, as the patch is low-risk and addresses the root cause.

This analysis is provided for informational purposes and represents the state of vulnerability intelligence as of the published date. CVSS scores, affected versions, and patch details are derived from official CVE records and vendor advisories; always verify against the source repository and official security notices before implementing remediations. SEC.co does not warrant the completeness or accuracy of third-party vulnerability data and assumes no liability for decisions made based on this analysis. Consult with your security team and vendor support for environment-specific guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).