Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/brace-expansion@2.0.3
Typenpm
Namespace
Namebrace-expansion
Version2.0.3
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_version3.0.1
Latest_non_vulnerable_version5.0.5
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-q2nx-7z24-13dd
vulnerability_id VCID-q2nx-7z24-13dd
summary 
brace-expansion: Zero-step sequence causes process hang and memory exhaustion
### Impact

A brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory.

The loop in question:

https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184

`test()` is one of

https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113

The increment is computed as `Math.abs(0) = 0`, so the loop variable never advances. On a test machine, the process hangs for about 3.5 seconds and allocates roughly 1.9 GB of memory before throwing a `RangeError`. Setting max to any value has no effect because the limit is only checked at the output combination step, not during sequence generation.

This affects any application that passes untrusted strings to expand(), or by error sets a step value of `0`. That includes tools built on minimatch/glob that resolve patterns from CLI arguments or config files. The input needed is just 10 bytes.

### Patches


Upgrade to versions
- 5.0.5+

A step increment of 0 is now sanitized to 1, which matches bash behavior.

### Workarounds

Sanitize strings passed to `expand()` to ensure a step value of `0` is not used.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33750.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33750.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33750
reference_id
reference_type
scores
0
value 0.00022
scoring_system epss
scoring_elements 0.05995
published_at 2026-04-21T12:55:00Z
1
value 0.00058
scoring_system epss
scoring_elements 0.18207
published_at 2026-04-16T12:55:00Z
2
value 0.00058
scoring_system epss
scoring_elements 0.18263
published_at 2026-04-13T12:55:00Z
3
value 0.00058
scoring_system epss
scoring_elements 0.18315
published_at 2026-04-12T12:55:00Z
4
value 0.00058
scoring_system epss
scoring_elements 0.18362
published_at 2026-04-11T12:55:00Z
5
value 0.00058
scoring_system epss
scoring_elements 0.18309
published_at 2026-04-08T12:55:00Z
6
value 0.00058
scoring_system epss
scoring_elements 0.18225
published_at 2026-04-07T12:55:00Z
7
value 0.00058
scoring_system epss
scoring_elements 0.18515
published_at 2026-04-04T12:55:00Z
8
value 0.00058
scoring_system epss
scoring_elements 0.18461
published_at 2026-04-02T12:55:00Z
9
value 0.00058
scoring_system epss
scoring_elements 0.1822
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33750
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33750
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33750
3
reference_url https://github.com/juliangruber/brace-expansion
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/juliangruber/brace-expansion
4
reference_url https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/
url https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113
5
reference_url https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/
url https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184
6
reference_url https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/
url https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5
7
reference_url https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/
url https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2
8
reference_url https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/
url https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a
9
reference_url https://github.com/juliangruber/brace-expansion/issues/98
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/
url https://github.com/juliangruber/brace-expansion/issues/98
10
reference_url https://github.com/juliangruber/brace-expansion/pull/95
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/
url https://github.com/juliangruber/brace-expansion/pull/95
11
reference_url https://github.com/juliangruber/brace-expansion/pull/96
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/
url https://github.com/juliangruber/brace-expansion/pull/96
12
reference_url https://github.com/juliangruber/brace-expansion/pull/97
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/
url https://github.com/juliangruber/brace-expansion/pull/97
13
reference_url https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/
url https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33750
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33750
15
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132163
reference_id 1132163
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132163
16
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2452285
reference_id 2452285
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2452285
17
reference_url https://github.com/advisories/GHSA-f886-m6hf-6m8v
reference_id GHSA-f886-m6hf-6m8v
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-f886-m6hf-6m8v
fixed_packages
0
url pkg:npm/brace-expansion@1.1.13
purl pkg:npm/brace-expansion@1.1.13
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/brace-expansion@1.1.13
1
url pkg:npm/brace-expansion@2.0.3
purl pkg:npm/brace-expansion@2.0.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/brace-expansion@2.0.3
2
url pkg:npm/brace-expansion@3.0.2
purl pkg:npm/brace-expansion@3.0.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/brace-expansion@3.0.2
3
url pkg:npm/brace-expansion@5.0.5
purl pkg:npm/brace-expansion@5.0.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/brace-expansion@5.0.5
aliases CVE-2026-33750, GHSA-f886-m6hf-6m8v
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q2nx-7z24-13dd
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/brace-expansion@2.0.3