Impact
The brace-expansion library up to version 5.0.6 contains an exponential‑time algorithm in the expand() function when handling consecutive non‑expanding brace groups. When supplied with a crafted string, the function can consume disproportionate CPU time and block the event loop, resulting in service unavailability. This flaw is identified as CWE‑400 and CWE‑407, reflecting unbounded resource consumption and lack of input validation.
Affected Systems
Affected has the npm package brace‑expansion, version 5.0.6 and earlier. The vulnerability specifically impacts applications that use the expand() method directly or indirectly. No other vendors or products are listed.
Risk and Exploitability
The CVSS score is 7.7, indicating high severity. EPSS is not available, so the current probability of exploitation in the wild is unknown. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit it by passing a malicious string to expand(); this can be done via any input path that invokes the library, such as user supplied data in web applications, command‑line tools, or automated pipelines. The max option offered by the library does not mitigate the problem, because it limits only output size, not the recursive work performed. Without a patch, the exploitation can lead to CPU exhaustion and eventual denial of service for the affected application.
OpenCVE Enrichment