CVE-2026-33750

Name of the Vulnerable Software and Affected Versions brace-expansion versions prior to 5.0.5 brace-expansion versions prior to 3.0.2 brace-expansion versions prior to 2.0.3 brace-expansion versions prior to 1.1.13

Description The brace-expansion library is susceptible to a denial-of-service condition. A brace pattern with a zero step value (e.g., {1..2..0}) causes the sequence generation loop to run indefinitely, leading to a process hang and excessive memory allocation. The issue stems from the increment calculation within the loop, where a step value of zero results in no advancement of the loop variable. This affects applications that pass untrusted strings to the expand() function or inadvertently set a step value of 0. The input required to trigger this issue is minimal, approximately 10 bytes.

Recommendations Versions prior to 5.0.5 should be upgraded. Versions prior to 3.0.2 should be upgraded. Versions prior to 2.0.3 should be upgraded. Versions prior to 1.1.13 should be upgraded. As a temporary workaround, sanitize strings passed to the expand() function to ensure a step value of 0 is not used.