Resource exhaustion in Juliangruber Brace-expansion

CVE-2026-13149

brace-expansion through 5.0.6 is vulnerable to denial of service. The expand() function exhibits exponential-time complexity in the number of consecutive non-expanding '{}' brace groups. An attacker who passes a crafted string to expand()…

Vulnerability class: DoS (Denial of Service)

EPSS: 0.004 (27.9th percentile) — read the EPSS interpretation.

Affected products

Weakness classification (CWE)

References