Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-q4u6-6pbw-5bcq
Summary
@isaacs/brace-expansion has Uncontrolled Resource Consumption
### Summary

`@isaacs/brace-expansion` is vulnerable to a Denial of Service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process.

### Details

The vulnerability occurs because `@isaacs/brace-expansion` expands brace expressions without any upper bound or complexity limit. Expansion is performed eagerly and synchronously, meaning the full result set is generated before returning control to the caller.

For example, the following input:

```
{0..99}{0..99}{0..99}{0..99}{0..99}
```

produces:

```
100^5 = 10,000,000,000 combinations
```

This exponential growth can quickly overwhelm the event loop and heap memory, resulting in process termination.

### Proof of Concept

The following script reliably triggers the issue.

Create `poc.js`:

```js
const { expand } = require('@isaacs/brace-expansion');

const pattern = '{0..99}{0..99}{0..99}{0..99}{0..99}';

console.log('Starting expansion...');
expand(pattern);
```

Run it:

```bash
node poc.js
```

The process will freeze and typically crash with an error such as:

```
FATAL ERROR: JavaScript heap out of memory
```

### Impact

This is a denial of service vulnerability. Any application or downstream dependency that uses `@isaacs/brace-expansion` on untrusted input may be vulnerable to a single-request crash.

An attacker does not require authentication and can use a very small payload to:

* Trigger exponential computation
* Exhaust memory and CPU resources
* Block the event loop
* Crash Node.js services relying on this library
Aliases
0
alias CVE-2026-25547
1
alias GHSA-7h2j-956f-4vf2
Fixed_packages
0
url pkg:deb/debian/node-brace-expansion@2.0.3%2B~1.1.2-2?distro=trixie
purl pkg:deb/debian/node-brace-expansion@2.0.3%2B~1.1.2-2?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-brace-expansion@2.0.3%252B~1.1.2-2%3Fdistro=trixie
1
url pkg:deb/debian/node-brace-expansion@2.0.3%2B~1.1.2-2
purl pkg:deb/debian/node-brace-expansion@2.0.3%2B~1.1.2-2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-brace-expansion@2.0.3%252B~1.1.2-2
2
url pkg:npm/%40isaacs/brace-expansion@5.0.1
purl pkg:npm/%40isaacs/brace-expansion@5.0.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540isaacs/brace-expansion@5.0.1
Affected_packages
0
url pkg:deb/debian/node-brace-expansion@2.0.0-1?distro=trixie
purl pkg:deb/debian/node-brace-expansion@2.0.0-1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-q2nx-7z24-13dd
1
vulnerability VCID-q4u6-6pbw-5bcq
2
vulnerability VCID-ugqu-gsa9-y7fq
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-brace-expansion@2.0.0-1%3Fdistro=trixie
1
url pkg:deb/debian/node-brace-expansion@2.0.0-1
purl pkg:deb/debian/node-brace-expansion@2.0.0-1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-q2nx-7z24-13dd
1
vulnerability VCID-q4u6-6pbw-5bcq
2
vulnerability VCID-ugqu-gsa9-y7fq
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-brace-expansion@2.0.0-1
2
url pkg:deb/debian/node-brace-expansion@2.0.1-2?distro=trixie
purl pkg:deb/debian/node-brace-expansion@2.0.1-2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-q2nx-7z24-13dd
1
vulnerability VCID-q4u6-6pbw-5bcq
2
vulnerability VCID-ugqu-gsa9-y7fq
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-brace-expansion@2.0.1-2%3Fdistro=trixie
3
url pkg:deb/debian/node-brace-expansion@2.0.1-2
purl pkg:deb/debian/node-brace-expansion@2.0.1-2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-q2nx-7z24-13dd
1
vulnerability VCID-q4u6-6pbw-5bcq
2
vulnerability VCID-ugqu-gsa9-y7fq
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-brace-expansion@2.0.1-2
4
url pkg:deb/debian/node-brace-expansion@2.0.1%2B~1.1.0-2
purl pkg:deb/debian/node-brace-expansion@2.0.1%2B~1.1.0-2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-q2nx-7z24-13dd
1
vulnerability VCID-q4u6-6pbw-5bcq
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-brace-expansion@2.0.1%252B~1.1.0-2
5
url pkg:deb/debian/node-brace-expansion@2.0.1%2B~1.1.0-2?distro=trixie
purl pkg:deb/debian/node-brace-expansion@2.0.1%2B~1.1.0-2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-q2nx-7z24-13dd
1
vulnerability VCID-q4u6-6pbw-5bcq
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-brace-expansion@2.0.1%252B~1.1.0-2%3Fdistro=trixie
6
url pkg:deb/debian/node-brace-expansion@2.0.3%2B~1.1.2-1?distro=trixie
purl pkg:deb/debian/node-brace-expansion@2.0.3%2B~1.1.2-1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-q4u6-6pbw-5bcq
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-brace-expansion@2.0.3%252B~1.1.2-1%3Fdistro=trixie
7
url pkg:npm/%40isaacs/brace-expansion@5.0.0
purl pkg:npm/%40isaacs/brace-expansion@5.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-q4u6-6pbw-5bcq
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540isaacs/brace-expansion@5.0.0
8
url pkg:rpm/redhat/nodejs22@1:22.22.2-1?arch=el10_1
purl pkg:rpm/redhat/nodejs22@1:22.22.2-1?arch=el10_1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-dt7u-3usg-9uet
1
vulnerability VCID-gv39-q6pw-yfh4
2
vulnerability VCID-hgd1-7u6j-p7dh
3
vulnerability VCID-hzsn-68be-dkej
4
vulnerability VCID-kq3k-xr3z-z3c4
5
vulnerability VCID-n6ew-t7g1-33gn
6
vulnerability VCID-q4u6-6pbw-5bcq
7
vulnerability VCID-sy2z-sqgk-d7hg
8
vulnerability VCID-z7ac-jr58-gkfm
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/nodejs22@1:22.22.2-1%3Farch=el10_1
9
url pkg:rpm/redhat/nodejs22@1:22.22.2-2?arch=el10_0
purl pkg:rpm/redhat/nodejs22@1:22.22.2-2?arch=el10_0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-dt7u-3usg-9uet
1
vulnerability VCID-gv39-q6pw-yfh4
2
vulnerability VCID-hgd1-7u6j-p7dh
3
vulnerability VCID-hzsn-68be-dkej
4
vulnerability VCID-kq3k-xr3z-z3c4
5
vulnerability VCID-n6ew-t7g1-33gn
6
vulnerability VCID-q4u6-6pbw-5bcq
7
vulnerability VCID-sy2z-sqgk-d7hg
8
vulnerability VCID-z7ac-jr58-gkfm
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/nodejs22@1:22.22.2-2%3Farch=el10_0
10
url pkg:rpm/redhat/nodejs24@1:24.14.1-2?arch=el10_1
purl pkg:rpm/redhat/nodejs24@1:24.14.1-2?arch=el10_1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1vp3-fzdr-yqbm
1
vulnerability VCID-2t7c-dju9-pff6
2
vulnerability VCID-96yh-1wub-zucg
3
vulnerability VCID-bjza-25hu-vkad
4
vulnerability VCID-dgkh-jdah-wfh9
5
vulnerability VCID-dt7u-3usg-9uet
6
vulnerability VCID-fetp-hvhq-dube
7
vulnerability VCID-gv39-q6pw-yfh4
8
vulnerability VCID-hgd1-7u6j-p7dh
9
vulnerability VCID-hzsn-68be-dkej
10
vulnerability VCID-n6ew-t7g1-33gn
11
vulnerability VCID-ph2p-u33d-8yh3
12
vulnerability VCID-q4u6-6pbw-5bcq
13
vulnerability VCID-sy2z-sqgk-d7hg
14
vulnerability VCID-twc8-ewm7-wkb1
15
vulnerability VCID-vdca-exd1-rfce
16
vulnerability VCID-xert-byqc-xbe2
17
vulnerability VCID-z7ac-jr58-gkfm
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/nodejs24@1:24.14.1-2%3Farch=el10_1
References
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25547.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25547.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25547
reference_id
reference_type
scores
0
value 0.00019
scoring_system epss
scoring_elements 0.0519
published_at 2026-04-09T12:55:00Z
1
value 0.00019
scoring_system epss
scoring_elements 0.05088
published_at 2026-04-02T12:55:00Z
2
value 0.00019
scoring_system epss
scoring_elements 0.05144
published_at 2026-04-12T12:55:00Z
3
value 0.00019
scoring_system epss
scoring_elements 0.05161
published_at 2026-04-11T12:55:00Z
4
value 0.00019
scoring_system epss
scoring_elements 0.05118
published_at 2026-04-04T12:55:00Z
5
value 0.00019
scoring_system epss
scoring_elements 0.05139
published_at 2026-04-07T12:55:00Z
6
value 0.00019
scoring_system epss
scoring_elements 0.05173
published_at 2026-04-08T12:55:00Z
7
value 0.0002
scoring_system epss
scoring_elements 0.05369
published_at 2026-04-18T12:55:00Z
8
value 0.0002
scoring_system epss
scoring_elements 0.05366
published_at 2026-04-16T12:55:00Z
9
value 0.0002
scoring_system epss
scoring_elements 0.05412
published_at 2026-04-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25547
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25547
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25547
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/isaacs/brace-expansion
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/isaacs/brace-expansion
5
reference_url https://github.com/isaacs/brace-expansion/security/advisories/GHSA-7h2j-956f-4vf2
reference_id
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value 9.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:24:50Z/
url https://github.com/isaacs/brace-expansion/security/advisories/GHSA-7h2j-956f-4vf2
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25547
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25547
7
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127313
reference_id 1127313
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127313
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2436942
reference_id 2436942
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2436942
9
reference_url https://github.com/advisories/GHSA-7h2j-956f-4vf2
reference_id GHSA-7h2j-956f-4vf2
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7h2j-956f-4vf2
10
reference_url https://access.redhat.com/errata/RHSA-2026:7080
reference_id RHSA-2026:7080
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7080
11
reference_url https://access.redhat.com/errata/RHSA-2026:7123
reference_id RHSA-2026:7123
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7123
12
reference_url https://access.redhat.com/errata/RHSA-2026:7302
reference_id RHSA-2026:7302
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7302
13
reference_url https://access.redhat.com/errata/RHSA-2026:7310
reference_id RHSA-2026:7310
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7310
14
reference_url https://access.redhat.com/errata/RHSA-2026:7350
reference_id RHSA-2026:7350
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7350
15
reference_url https://access.redhat.com/errata/RHSA-2026:7675
reference_id RHSA-2026:7675
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7675
16
reference_url https://access.redhat.com/errata/RHSA-2026:7983
reference_id RHSA-2026:7983
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7983
Weaknesses
0
cwe_id 1333
name Inefficient Regular Expression Complexity
description The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
1
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
2
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
3
cwe_id 409
name Improper Handling of Highly Compressed Data (Data Amplification)
description The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
Exploits
Severity_range_score6.5 - 9.2
Exploitability0.5
Weighted_severity8.3
Risk_score4.2
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-q4u6-6pbw-5bcq