Home

Description

brace-expansion through 5.0.6 is vulnerable to denial of service. The expand() function exhibits exponential-time complexity in the number of consecutive non-expanding '{}' brace groups. An attacker who passes a crafted string to expand(), directly or transitively, can cause significant CPU consumption and event-loop blocking. The max option does not mitigate this, as it bounds the output size rather than the recursion work.

PUBLISHED Reserved 2026-06-24 | Published 2026-06-30 | Updated 2026-07-08 | Assigner seal




HIGH: 7.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/S:N/AU:Y/R:U/V:D/RE:M/U:Amber

Problem types

CWE-400 Uncontrolled Resource Consumption

CWE-407 Inefficient Algorithmic Complexity

Product status

Default status
unaffected

Any version
affected

Credits

bnbdr finder

References

github.com/...ommit/c7e33ec13ac1a684c116720843ce24e208611754

www.npmjs.com/package/brace-expansion

cve.org (CVE-2026-13149)

nvd.nist.gov (CVE-2026-13149)

Download JSON