The brace-expansion library generates enumerations of numeric or string ranges. In versions 5.0.0 through 5.0.5 the max option is applied only after the full sequence is built. When an input such as {1..10000000} is processed, the library allocates an array holding ten million intermediate elements before truncating it to the defined limit. This results in the allocation of roughly 505 MB of memory and a pause of about 800 ms, effectively denying service to the running process. The CVSS score of 6.5 reflects a moderate risk stemming from this resource exhaustion.

Affected products are the brace-expansion library from Juliangruber. All releases from 5.0.0 up to 5.0.5 are impacted. Upgrading to version 5.0.6 or later resolves the vulnerability.

The flaw remains active in environments that retain older library versions, particularly when the library processes untrusted input that may contain large numeric ranges. An attacker who can inject such a range can force the application to consume large amounts of memory and CPU time, potentially leading to application slowdown or crash. While the EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, the moderate CVSS score and the library’s widespread use guide administrators to treat the risk as non‑negligible in scenarios where external data is expanded. The most likely attack vector involves any code path that passes user‑supplied strings to brace-expansion, whether in a web server, script runner, or build tool.