Description
The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed to `expand()` to ensure a step value of `0` is not used.
Published: 2026-03-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The brace-expansion library generates strings from brace patterns. A zero‑step value (e.g., {1..2..0}) causes its sequence generator to loop indefinitely, making the calling process hang for seconds and allocating large amounts of memory. The result is a denial of service that would impact the application or container in which the library runs. The weakness is classified as uncontrolled resource consumption (CWE‑400) and unchecked input handling (CWE‑606). No evidence indicates code execution is possible.

Affected Systems

The vulnerability affects all releases of the npm package brace-expansion by Julian Gruber that are older than version 5.0.5, 3.0.2, 2.0.3, and 1.1.13. Any project that imports this package directly or indirectly via another dependency is at risk unless the library has been upgraded to a fixed release.

Risk and Exploitability

The CVSS score for this issue is 6.5, reflecting moderate severity. EPSS indicates less than 1% probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could trigger the flaw by supplying a brace pattern with a zero step value to expand() from untrusted input, causing the process to hang and use excessive memory. The likely attack vector would require an application that calls expand() with user‑controlled data, potentially leading to a loss of availability for the affected system.

Generated by OpenCVE AI on March 31, 2026 at 06:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the brace-expansion package to a fixed version (>=5.0.5, 3.0.2, 2.0.3, or 1.1.13 depending on your environment).
  • If an upgrade is not immediately possible, sanitize all strings passed to expand() to ensure a step value of zero is never used.
  • Consider enforcing resource limits or monitoring for abnormal memory usage to detect potential hangs caused by this vulnerability.

Generated by OpenCVE AI on March 31, 2026 at 06:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustion
History

Wed, 22 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:juliangruber:brace-expansion:*:*:*:*:*:node.js:*:*

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-606
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Juliangruber
Juliangruber brace-expansion
Vendors & Products Juliangruber
Juliangruber brace-expansion

Fri, 27 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed to `expand()` to ensure a step value of `0` is not used.
Title brace-expansion: Zero-step sequence causes process hang and memory exhaustion
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Juliangruber Brace-expansion
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T14:48:06.779Z

Reserved: 2026-03-23T18:30:14.124Z

Link: CVE-2026-33750

cve-icon Vulnrichment

Updated: 2026-03-27T14:48:01.499Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T15:16:57.297

Modified: 2026-04-22T14:23:19.110

Link: CVE-2026-33750

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-27T14:04:52Z

Links: CVE-2026-33750 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:01:16Z

Weaknesses