PT-2026-53832 · Npm · Brace-Expansion
Bnbdr
·
Published
2026-06-30
·
Updated
2026-06-30
·
CVE-2026-13149
CVSS v4.0
7.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:D/RE:M/U:Amber |
Name of the Vulnerable Software and Affected Versions
brace-expansion versions prior to 5.0.7
Description
A denial of service issue exists where the
expand() function exhibits exponential-time complexity when processing consecutive non-expanding '{}' brace groups. An attacker can provide a crafted string to the expand() function, either directly or transitively, leading to excessive CPU consumption and blocking of the event loop. The max option is ineffective in this scenario because it limits the size of the output rather than the amount of recursion work performed.Recommendations
Update brace-expansion to version 5.0.7 or later.
Fix
DoS
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Brace-Expansion