PT-2026-6323 · Isaacs+1 · @Isaacs/Brace-Expansion+1

Jvr2022

·

Published

2026-02-03

·

Updated

2026-05-18

·

CVE-2026-25547

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions @isaacs/brace-expansion versions prior to 5.0.1
Description @isaacs/brace-expansion, a hybrid CJS/ESM TypeScript fork of brace-expansion, is subject to a denial of service (DoS) issue. This occurs due to unbounded brace range expansion when processing patterns with repeated numeric brace ranges. The library attempts to generate all possible combinations synchronously, leading to excessive CPU and memory consumption, potentially crashing the Node.js process.
Recommendations Update @isaacs/brace-expansion to version 5.0.1 or later.

Exploit

Fix

DoS

Weakness Enumeration

CWE-1333

Related Identifiers

ALSA-2026:7080
ALSA-2026:7123
ALSA-2026:7350
ALSA-2026:7675
BDU:2026-01718
CLEANSTART-2026-CE10526
CLEANSTART-2026-DV49099
CLEANSTART-2026-GS57401
CLEANSTART-2026-NB51079
CLEANSTART-2026-NY12442
CLEANSTART-2026-OW14933
CLEANSTART-2026-SW34937
CVE-2026-25547
GHSA-7H2J-956F-4VF2
OPENSUSE-SU-2026:10168-1
OPENSUSE-SU-2026:10236-1
OPENSUSE-SU-2026:10250-1
OPENSUSE-SU-2026:10251-1
OPENSUSE-SU-2026:10252-1
OPENSUSE-SU-2026:10253-1
OPENSUSE-SU-2026:10254-1
OPENSUSE-SU-2026:10268-1
OPENSUSE-SU-2026:10269-1
OPENSUSE-SU-2026:10424-1
OPENSUSE-SU-2026:10428-1
OPENSUSE-SU-2026:20239-1
OPENSUSE-SU-2026:20261-1
OPENSUSE-SU-2026:20502-1
OPENSUSE-SU-2026:20503-1
OPENSUSE-SU-2026:20504-1
RHSA-2026:7080
RHSA-2026:7123
RHSA-2026:7302
RHSA-2026:7310
RHSA-2026:7350
RHSA-2026:7675
RHSA-2026:7983
SUSE-SU-2026:1008-1
SUSE-SU-2026:1013-1
SUSE-SU-2026:1035-1
SUSE-SU-2026:1148-1
SUSE-SU-2026:1232-1
SUSE-SU-2026:1249-1
SUSE-SU-2026:1250-1
SUSE-SU-2026:1251-1
SUSE-SU-2026:1524-1
SUSE-SU-2026:20574-1
SUSE-SU-2026:21022-1
SUSE-SU-2026:21023-1
SUSE-SU-2026:21024-1
SUSE-SU-2026:21166-1
SUSE-SU-2026:21167-1
SUSE-SU-2026:21168-1
SUSE-SU-2026:21241-1
SUSE-SU-2026:21245-1
SUSE-SU-2026:21246-1
SUSE-SU-2026:21253-1
SUSE-SU-2026:21256-1
SUSE-SU-2026:21321-1
SUSE-SU-2026:21785-1

Affected Products

@Isaacs/Brace-Expansion
Rocky Linux