VulnerableCode Package Details - pkg:deb/debian/node-brace-expansion@2.0.1%2B~1.1.0-2

Search for packages

Vulnerability	Summary	Fixed by
VCID-q2nx-7z24-13dd Aliases: CVE-2026-33750 GHSA-f886-m6hf-6m8v	brace-expansion: Zero-step sequence causes process hang and memory exhaustion ### Impact A brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. The loop in question: https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184 `test()` is one of https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113 The increment is computed as `Math.abs(0) = 0`, so the loop variable never advances. On a test machine, the process hangs for about 3.5 seconds and allocates roughly 1.9 GB of memory before throwing a `RangeError`. Setting max to any value has no effect because the limit is only checked at the output combination step, not during sequence generation. This affects any application that passes untrusted strings to expand(), or by error sets a step value of `0`. That includes tools built on minimatch/glob that resolve patterns from CLI arguments or config files. The input needed is just 10 bytes. ### Patches Upgrade to versions - 5.0.5+ A step increment of 0 is now sanitized to 1, which matches bash behavior. ### Workarounds Sanitize strings passed to `expand()` to ensure a step value of `0` is not used.	2.0.3+~1.1.2-2 Affected by 0 other vulnerabilities.
VCID-q4u6-6pbw-5bcq Aliases: CVE-2026-25547 GHSA-7h2j-956f-4vf2	@isaacs/brace-expansion has Uncontrolled Resource Consumption ### Summary `@isaacs/brace-expansion` is vulnerable to a Denial of Service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. ### Details The vulnerability occurs because `@isaacs/brace-expansion` expands brace expressions without any upper bound or complexity limit. Expansion is performed eagerly and synchronously, meaning the full result set is generated before returning control to the caller. For example, the following input: ``` {0..99}{0..99}{0..99}{0..99}{0..99} ``` produces: ``` 100^5 = 10,000,000,000 combinations ``` This exponential growth can quickly overwhelm the event loop and heap memory, resulting in process termination. ### Proof of Concept The following script reliably triggers the issue. Create `poc.js`: ```js const { expand } = require('@isaacs/brace-expansion'); const pattern = '{0..99}{0..99}{0..99}{0..99}{0..99}'; console.log('Starting expansion...'); expand(pattern); ``` Run it: ```bash node poc.js ``` The process will freeze and typically crash with an error such as: ``` FATAL ERROR: JavaScript heap out of memory ``` ### Impact This is a denial of service vulnerability. Any application or downstream dependency that uses `@isaacs/brace-expansion` on untrusted input may be vulnerable to a single-request crash. An attacker does not require authentication and can use a very small payload to: * Trigger exponential computation * Exhaust memory and CPU resources * Block the event loop * Crash Node.js services relying on this library	2.0.3+~1.1.2-2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-q2nx-7z24-13dd
Aliases:
CVE-2026-33750
GHSA-f886-m6hf-6m8v

brace-expansion: Zero-step sequence causes process hang and memory exhaustion ### Impact A brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. The loop in question: https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184 `test()` is one of https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113 The increment is computed as `Math.abs(0) = 0`, so the loop variable never advances. On a test machine, the process hangs for about 3.5 seconds and allocates roughly 1.9 GB of memory before throwing a `RangeError`. Setting max to any value has no effect because the limit is only checked at the output combination step, not during sequence generation. This affects any application that passes untrusted strings to expand(), or by error sets a step value of `0`. That includes tools built on minimatch/glob that resolve patterns from CLI arguments or config files. The input needed is just 10 bytes. ### Patches Upgrade to versions - 5.0.5+ A step increment of 0 is now sanitized to 1, which matches bash behavior. ### Workarounds Sanitize strings passed to `expand()` to ensure a step value of `0` is not used.

2.0.3+~1.1.2-2
Affected by 0 other vulnerabilities.

VCID-q4u6-6pbw-5bcq
Aliases:
CVE-2026-25547
GHSA-7h2j-956f-4vf2

@isaacs/brace-expansion has Uncontrolled Resource Consumption ### Summary `@isaacs/brace-expansion` is vulnerable to a Denial of Service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. ### Details The vulnerability occurs because `@isaacs/brace-expansion` expands brace expressions without any upper bound or complexity limit. Expansion is performed eagerly and synchronously, meaning the full result set is generated before returning control to the caller. For example, the following input: ``` {0..99}{0..99}{0..99}{0..99}{0..99} ``` produces: ``` 100^5 = 10,000,000,000 combinations ``` This exponential growth can quickly overwhelm the event loop and heap memory, resulting in process termination. ### Proof of Concept The following script reliably triggers the issue. Create `poc.js`: ```js const { expand } = require('@isaacs/brace-expansion'); const pattern = '{0..99}{0..99}{0..99}{0..99}{0..99}'; console.log('Starting expansion...'); expand(pattern); ``` Run it: ```bash node poc.js ``` The process will freeze and typically crash with an error such as: ``` FATAL ERROR: JavaScript heap out of memory ``` ### Impact This is a denial of service vulnerability. Any application or downstream dependency that uses `@isaacs/brace-expansion` on untrusted input may be vulnerable to a single-request crash. An attacker does not require authentication and can use a very small payload to: * Trigger exponential computation * Exhaust memory and CPU resources * Block the event loop * Crash Node.js services relying on this library

2.0.3+~1.1.2-2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-ugqu-gsa9-y7fq	brace-expansion Regular Expression Denial of Service vulnerability A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is `a5b98a4f30d7813266b221435e1eaaf25a1b0ac5`. It is recommended to upgrade the affected component.	CVE-2025-5889 GHSA-v6h2-p8h4-qcjw

Vulnerability

Summary

Aliases

VCID-ugqu-gsa9-y7fq

brace-expansion Regular Expression Denial of Service vulnerability A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is `a5b98a4f30d7813266b221435e1eaaf25a1b0ac5`. It is recommended to upgrade the affected component.

CVE-2025-5889
GHSA-v6h2-p8h4-qcjw

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T11:44:29.582025+00:00	Debian Importer	Affected by	VCID-q2nx-7z24-13dd	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:30:14.285793+00:00	Debian Importer	Affected by	VCID-q4u6-6pbw-5bcq	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:05:01.248946+00:00	Debian Importer	Fixing	VCID-ugqu-gsa9-y7fq	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T08:00:17.640939+00:00	Debian Importer	Affected by	VCID-q2nx-7z24-13dd	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:05:26.073954+00:00	Debian Importer	Affected by	VCID-q4u6-6pbw-5bcq	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:05:13.204983+00:00	Debian Importer	Fixing	VCID-ugqu-gsa9-y7fq	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-08T19:19:58.648555+00:00	Debian Importer	Affected by	VCID-q2nx-7z24-13dd	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-08T18:42:37.534043+00:00	Debian Importer	Affected by	VCID-q4u6-6pbw-5bcq	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-04T17:55:46.079826+00:00	Debian Importer	Fixing	VCID-ugqu-gsa9-y7fq	https://security-tracker.debian.org/tracker/data/json	38.1.0