Resource exhaustion in Juliangruber Brace-expansion
CVE-2026-13149
brace-expansion through 5.0.6 is vulnerable to denial of service. The expand() function exhibits exponential-time complexity in the number of consecutive non-expanding '{}' brace groups. An attacker who passes a crafted string to expand()…
Vulnerability class: DoS (Denial of Service)
EPSS: 0.004 (27.9th percentile) — read the EPSS interpretation.
Affected products
- Juliangruber Brace-expansion — versions 0