Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-q2nx-7z24-13dd
Summary
brace-expansion: Zero-step sequence causes process hang and memory exhaustion
### Impact

A brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory.

The loop in question:

https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184

`test()` is one of

https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113

The increment is computed as `Math.abs(0) = 0`, so the loop variable never advances. On a test machine, the process hangs for about 3.5 seconds and allocates roughly 1.9 GB of memory before throwing a `RangeError`. Setting max to any value has no effect because the limit is only checked at the output combination step, not during sequence generation.

This affects any application that passes untrusted strings to expand(), or by error sets a step value of `0`. That includes tools built on minimatch/glob that resolve patterns from CLI arguments or config files. The input needed is just 10 bytes.

### Patches


Upgrade to versions
- 5.0.5+

A step increment of 0 is now sanitized to 1, which matches bash behavior.

### Workarounds

Sanitize strings passed to `expand()` to ensure a step value of `0` is not used.
Aliases
0
alias CVE-2026-33750
1
alias GHSA-f886-m6hf-6m8v
Fixed_packages
0
url pkg:deb/debian/node-brace-expansion@2.0.3%2B~1.1.2-1?distro=trixie
purl pkg:deb/debian/node-brace-expansion@2.0.3%2B~1.1.2-1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-q4u6-6pbw-5bcq
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-brace-expansion@2.0.3%252B~1.1.2-1%3Fdistro=trixie
1
url pkg:deb/debian/node-brace-expansion@2.0.3%2B~1.1.2-2?distro=trixie
purl pkg:deb/debian/node-brace-expansion@2.0.3%2B~1.1.2-2?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-brace-expansion@2.0.3%252B~1.1.2-2%3Fdistro=trixie
2
url pkg:deb/debian/node-brace-expansion@2.0.3%2B~1.1.2-2
purl pkg:deb/debian/node-brace-expansion@2.0.3%2B~1.1.2-2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-brace-expansion@2.0.3%252B~1.1.2-2
3
url pkg:npm/brace-expansion@1.1.13
purl pkg:npm/brace-expansion@1.1.13
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/brace-expansion@1.1.13
4
url pkg:npm/brace-expansion@2.0.3
purl pkg:npm/brace-expansion@2.0.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/brace-expansion@2.0.3
5
url pkg:npm/brace-expansion@3.0.2
purl pkg:npm/brace-expansion@3.0.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/brace-expansion@3.0.2
6
url pkg:npm/brace-expansion@5.0.5
purl pkg:npm/brace-expansion@5.0.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/brace-expansion@5.0.5
Affected_packages
0
url pkg:deb/debian/node-brace-expansion@2.0.0-1?distro=trixie
purl pkg:deb/debian/node-brace-expansion@2.0.0-1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-q2nx-7z24-13dd
1
vulnerability VCID-q4u6-6pbw-5bcq
2
vulnerability VCID-ugqu-gsa9-y7fq
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-brace-expansion@2.0.0-1%3Fdistro=trixie
1
url pkg:deb/debian/node-brace-expansion@2.0.0-1
purl pkg:deb/debian/node-brace-expansion@2.0.0-1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-q2nx-7z24-13dd
1
vulnerability VCID-q4u6-6pbw-5bcq
2
vulnerability VCID-ugqu-gsa9-y7fq
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-brace-expansion@2.0.0-1
2
url pkg:deb/debian/node-brace-expansion@2.0.1-2?distro=trixie
purl pkg:deb/debian/node-brace-expansion@2.0.1-2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-q2nx-7z24-13dd
1
vulnerability VCID-q4u6-6pbw-5bcq
2
vulnerability VCID-ugqu-gsa9-y7fq
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-brace-expansion@2.0.1-2%3Fdistro=trixie
3
url pkg:deb/debian/node-brace-expansion@2.0.1-2
purl pkg:deb/debian/node-brace-expansion@2.0.1-2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-q2nx-7z24-13dd
1
vulnerability VCID-q4u6-6pbw-5bcq
2
vulnerability VCID-ugqu-gsa9-y7fq
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-brace-expansion@2.0.1-2
4
url pkg:deb/debian/node-brace-expansion@2.0.1%2B~1.1.0-2
purl pkg:deb/debian/node-brace-expansion@2.0.1%2B~1.1.0-2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-q2nx-7z24-13dd
1
vulnerability VCID-q4u6-6pbw-5bcq
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-brace-expansion@2.0.1%252B~1.1.0-2
5
url pkg:deb/debian/node-brace-expansion@2.0.1%2B~1.1.0-2?distro=trixie
purl pkg:deb/debian/node-brace-expansion@2.0.1%2B~1.1.0-2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-q2nx-7z24-13dd
1
vulnerability VCID-q4u6-6pbw-5bcq
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-brace-expansion@2.0.1%252B~1.1.0-2%3Fdistro=trixie
6
url pkg:npm/brace-expansion@2.0.0
purl pkg:npm/brace-expansion@2.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-q2nx-7z24-13dd
1
vulnerability VCID-ugqu-gsa9-y7fq
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/brace-expansion@2.0.0
7
url pkg:npm/brace-expansion@3.0.0
purl pkg:npm/brace-expansion@3.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-q2nx-7z24-13dd
1
vulnerability VCID-ugqu-gsa9-y7fq
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/brace-expansion@3.0.0
8
url pkg:npm/brace-expansion@4.0.0
purl pkg:npm/brace-expansion@4.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-q2nx-7z24-13dd
1
vulnerability VCID-ugqu-gsa9-y7fq
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/brace-expansion@4.0.0
References
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33750.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33750.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33750
reference_id
reference_type
scores
0
value 0.00022
scoring_system epss
scoring_elements 0.05995
published_at 2026-04-21T12:55:00Z
1
value 0.00058
scoring_system epss
scoring_elements 0.18207
published_at 2026-04-16T12:55:00Z
2
value 0.00058
scoring_system epss
scoring_elements 0.18263
published_at 2026-04-13T12:55:00Z
3
value 0.00058
scoring_system epss
scoring_elements 0.18315
published_at 2026-04-12T12:55:00Z
4
value 0.00058
scoring_system epss
scoring_elements 0.18362
published_at 2026-04-11T12:55:00Z
5
value 0.00058
scoring_system epss
scoring_elements 0.18309
published_at 2026-04-08T12:55:00Z
6
value 0.00058
scoring_system epss
scoring_elements 0.18225
published_at 2026-04-07T12:55:00Z
7
value 0.00058
scoring_system epss
scoring_elements 0.18515
published_at 2026-04-04T12:55:00Z
8
value 0.00058
scoring_system epss
scoring_elements 0.18461
published_at 2026-04-02T12:55:00Z
9
value 0.00058
scoring_system epss
scoring_elements 0.1822
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33750
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33750
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33750
3
reference_url https://github.com/juliangruber/brace-expansion
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/juliangruber/brace-expansion
4
reference_url https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/
url https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113
5
reference_url https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/
url https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184
6
reference_url https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/
url https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5
7
reference_url https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/
url https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2
8
reference_url https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/
url https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a
9
reference_url https://github.com/juliangruber/brace-expansion/issues/98
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/
url https://github.com/juliangruber/brace-expansion/issues/98
10
reference_url https://github.com/juliangruber/brace-expansion/pull/95
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/
url https://github.com/juliangruber/brace-expansion/pull/95
11
reference_url https://github.com/juliangruber/brace-expansion/pull/96
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/
url https://github.com/juliangruber/brace-expansion/pull/96
12
reference_url https://github.com/juliangruber/brace-expansion/pull/97
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/
url https://github.com/juliangruber/brace-expansion/pull/97
13
reference_url https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:47:58Z/
url https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33750
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33750
15
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132163
reference_id 1132163
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132163
16
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2452285
reference_id 2452285
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2452285
17
reference_url https://github.com/advisories/GHSA-f886-m6hf-6m8v
reference_id GHSA-f886-m6hf-6m8v
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-f886-m6hf-6m8v
Weaknesses
0
cwe_id 400
name Uncontrolled Resource Consumption
description The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
1
cwe_id 606
name Unchecked Input for Loop Condition
description The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping.
Exploits
Severity_range_score4.0 - 6.9
Exploitability0.5
Weighted_severity6.2
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-q2nx-7z24-13dd