Search for packages
| purl | pkg:deb/debian/node-brace-expansion@2.0.1-2?distro=trixie |
| Next non-vulnerable version | 2.0.3+~1.1.2-2 |
| Latest non-vulnerable version | 2.0.3+~1.1.2-2 |
| Risk | 4.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-q2nx-7z24-13dd
Aliases: CVE-2026-33750 GHSA-f886-m6hf-6m8v |
brace-expansion: Zero-step sequence causes process hang and memory exhaustion ### Impact A brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. The loop in question: https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184 `test()` is one of https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113 The increment is computed as `Math.abs(0) = 0`, so the loop variable never advances. On a test machine, the process hangs for about 3.5 seconds and allocates roughly 1.9 GB of memory before throwing a `RangeError`. Setting max to any value has no effect because the limit is only checked at the output combination step, not during sequence generation. This affects any application that passes untrusted strings to expand(), or by error sets a step value of `0`. That includes tools built on minimatch/glob that resolve patterns from CLI arguments or config files. The input needed is just 10 bytes. ### Patches Upgrade to versions - 5.0.5+ A step increment of 0 is now sanitized to 1, which matches bash behavior. ### Workarounds Sanitize strings passed to `expand()` to ensure a step value of `0` is not used. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-q4u6-6pbw-5bcq
Aliases: CVE-2026-25547 GHSA-7h2j-956f-4vf2 |
@isaacs/brace-expansion has Uncontrolled Resource Consumption ### Summary `@isaacs/brace-expansion` is vulnerable to a Denial of Service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. ### Details The vulnerability occurs because `@isaacs/brace-expansion` expands brace expressions without any upper bound or complexity limit. Expansion is performed eagerly and synchronously, meaning the full result set is generated before returning control to the caller. For example, the following input: ``` {0..99}{0..99}{0..99}{0..99}{0..99} ``` produces: ``` 100^5 = 10,000,000,000 combinations ``` This exponential growth can quickly overwhelm the event loop and heap memory, resulting in process termination. ### Proof of Concept The following script reliably triggers the issue. Create `poc.js`: ```js const { expand } = require('@isaacs/brace-expansion'); const pattern = '{0..99}{0..99}{0..99}{0..99}{0..99}'; console.log('Starting expansion...'); expand(pattern); ``` Run it: ```bash node poc.js ``` The process will freeze and typically crash with an error such as: ``` FATAL ERROR: JavaScript heap out of memory ``` ### Impact This is a denial of service vulnerability. Any application or downstream dependency that uses `@isaacs/brace-expansion` on untrusted input may be vulnerable to a single-request crash. An attacker does not require authentication and can use a very small payload to: * Trigger exponential computation * Exhaust memory and CPU resources * Block the event loop * Crash Node.js services relying on this library |
Affected by 0 other vulnerabilities. |
|
VCID-ugqu-gsa9-y7fq
Aliases: CVE-2025-5889 GHSA-v6h2-p8h4-qcjw |
brace-expansion Regular Expression Denial of Service vulnerability A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is `a5b98a4f30d7813266b221435e1eaaf25a1b0ac5`. It is recommended to upgrade the affected component. |
Affected by 2 other vulnerabilities. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-3qmf-2f2m-fbes | Improper Input Validation index.js in brace-expansion before 1.1.7 is vulnerable to Regular Expression Denial of Service (ReDoS) attacks, as demonstrated by an expand argument containing many comma characters. |
CVE-2017-18077
GHSA-832h-xg76-4gv6 |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-16T10:02:48.550540+00:00 | Debian Importer | Fixing | VCID-3qmf-2f2m-fbes | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-13T06:44:21.960191+00:00 | Debian Importer | Fixing | VCID-3qmf-2f2m-fbes | https://security-tracker.debian.org/tracker/data/json | 38.3.0 |
| 2026-04-08T03:37:23.323352+00:00 | Debian Importer | Affected by | VCID-q4u6-6pbw-5bcq | https://security-tracker.debian.org/tracker/data/json | 38.1.0 |
| 2026-04-03T07:47:05.796480+00:00 | Debian Importer | Affected by | VCID-q2nx-7z24-13dd | https://security-tracker.debian.org/tracker/data/json | 38.1.0 |
| 2026-04-03T07:47:05.745419+00:00 | Debian Importer | Affected by | VCID-ugqu-gsa9-y7fq | https://security-tracker.debian.org/tracker/data/json | 38.1.0 |
| 2026-04-03T07:47:05.688593+00:00 | Debian Importer | Fixing | VCID-3qmf-2f2m-fbes | https://security-tracker.debian.org/tracker/data/json | 38.1.0 |