Description
brace-expansion through 5.0.6 is vulnerable to denial of service. The expand() function exhibits exponential-time complexity in the number of consecutive non-expanding '{}' brace groups. An attacker who passes a crafted string to expand(), directly or transitively, can cause significant CPU consumption and event-loop blocking. The max option does not mitigate this, as it bounds the output size rather than the recursion work.
Published: 2026-06-30
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The brace-expansion library up to version 5.0.6 contains an exponential‑time algorithm in the expand() function when handling consecutive non‑expanding brace groups. When supplied with a crafted string, the function can consume disproportionate CPU time and block the event loop, resulting in service unavailability. This flaw is identified as CWE‑400 and CWE‑407, reflecting unbounded resource consumption and lack of input validation.

Affected Systems

Affected has the npm package brace‑expansion, version 5.0.6 and earlier. The vulnerability specifically impacts applications that use the expand() method directly or indirectly. No other vendors or products are listed.

Risk and Exploitability

The CVSS score is 7.7, indicating high severity. EPSS is not available, so the current probability of exploitation in the wild is unknown. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit it by passing a malicious string to expand(); this can be done via any input path that invokes the library, such as user supplied data in web applications, command‑line tools, or automated pipelines. The max option offered by the library does not mitigate the problem, because it limits only output size, not the recursive work performed. Without a patch, the exploitation can lead to CPU exhaustion and eventual denial of service for the affected application.

Generated by OpenCVE AI on June 30, 2026 at 10:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update brace‑expansion to the latest version that contains the fix (any version greater than 5.0.6).
  • If immediate update is not feasible, restrict the use of expand() with input validation, or run it in a separate process with CPU usage limits and timeout to prevent event‑loop blocking.
  • Monitor application performance for sudden increases in CPU usage or latency that could indicate an exploit attempt, and apply workload isolation or rate‑limit inputs before they reach expand().
  • Consider removing or replacing the brace‑expansion dependency if it is not critical to the application’s functionality.

Generated by OpenCVE AI on June 30, 2026 at 10:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
Title Application Denial of Service via Brace Expansion Exponential Complexity brace-expansion: Brace-expansion: Denial of Service due to exponential-time complexity
Weaknesses CWE-1333
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important


Tue, 30 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Juliangruber
Juliangruber brace-expansion
Vendors & Products Juliangruber
Juliangruber brace-expansion

Tue, 30 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 30 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
Title Application Denial of Service via Brace Expansion Exponential Complexity

Tue, 30 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Description brace-expansion through 5.0.6 is vulnerable to denial of service. The expand() function exhibits exponential-time complexity in the number of consecutive non-expanding '{}' brace groups. An attacker who passes a crafted string to expand(), directly or transitively, can cause significant CPU consumption and event-loop blocking. The max option does not mitigate this, as it bounds the output size rather than the recursion work.
Weaknesses CWE-400
CWE-407
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/S:N/AU:Y/R:U/V:D/RE:M/U:Amber'}


Subscriptions

Juliangruber Brace-expansion
cve-icon MITRE

Status: PUBLISHED

Assigner: seal

Published:

Updated: 2026-06-30T12:43:23.029Z

Reserved: 2026-06-24T10:17:07.027Z

Link: CVE-2026-13149

cve-icon Vulnrichment

Updated: 2026-06-30T12:43:19.177Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-30T08:30:34Z

Links: CVE-2026-13149 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T15:00:05Z

Weaknesses
  • CWE-1333

    Inefficient Regular Expression Complexity

  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-407

    Inefficient Algorithmic Complexity