Description
@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.
Published: 2026-02-04
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

@isaacs/brace-expansion, a TypeScript fork of the brace‑expansion library, contains a denial of service flaw that triggers when an attacker supplies a pattern with repeated numeric brace ranges. The library attempts to eagerly generate every combination synchronously, and because the possible combinations grow exponentially, even a modest input can exhaust CPU cycles and memory, eventually crashing the Node.js process. The issue is rooted in resource exhaustion (CWE‑1333) and potential uncontrolled recursion or expansion (CWE‑409).

Affected Systems

Applications that depend on isaacs:brace-expansion before version 5.0.1 are affected. Any Node.js project importing this library, especially those that process user‑supplied brace patterns, should be considered vulnerable. The problem is limited to the library itself; other Node.js modules are not directly impacted unless they transitively use brace‑expansion.

Risk and Exploitability

The flaw carries a CVSS score of 9.2, indicating a high severity impact. Current exploit probability according to EPSS is below 1%, suggesting a low likelihood of widespread exploitation, though no high‑profile exploits have been reported. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote or local, depending on whether the application accepts user input that is handed to brace‑expansion. An attacker could send a crafted pattern over the network or supply it via a command line argument, leading to denial of service against the affected process.

Generated by OpenCVE AI on April 17, 2026 at 23:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade @isaacs/brace-expansion to version 5.0.1 or later.
  • Validate or sanitize patterns before passing them to brace‑expansion, rejecting or limiting excessively large brace ranges.
  • Configure Node.js resource limits (e.g., --max-old-space-size) and monitor CPU/memory usage to detect and mitigate sudden spikes that may indicate abuse.

Generated by OpenCVE AI on April 17, 2026 at 23:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7h2j-956f-4vf2 @isaacs/brace-expansion has Uncontrolled Resource Consumption
History

Sat, 07 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-409
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Thu, 05 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Isaacs
Isaacs brace-expansion
Vendors & Products Isaacs
Isaacs brace-expansion

Wed, 04 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Description @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.
Title Uncontrolled Resource Consumption in @isaacs/brace-expansion
Weaknesses CWE-1333
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H'}

Subscriptions

Isaacs Brace-expansion
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-05T14:31:38.349Z

Reserved: 2026-02-02T19:59:47.376Z

Link: CVE-2026-25547

cve-icon Vulnrichment

Updated: 2026-02-05T14:24:51.376Z

cve-icon NVD

Status : Deferred

Published: 2026-02-04T22:16:00.813

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25547

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-04T21:51:17Z

Links: CVE-2026-25547 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:15:30Z

Weaknesses