Resource exhaustion in Juliangruber Brace-expansion
CVE-2026-33750
The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loo…
Vulnerability class: DoS (Denial of Service)
EPSS: 0.000 (8.3th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 6.5 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H.
Affected products
- Juliangruber Brace-expansion — versions >= 4.0.0, < 5.0.5, >= 3.0.0, < 3.0.2, >= 2.0.0, < 2.0.3
Weakness classification (CWE)
References
- https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v (x_refsource_CONFIRM)
- https://github.com/juliangruber/brace-expansion/issues/98 (x_refsource_MISC)
- https://github.com/juliangruber/brace-expansion/pull/95 (x_refsource_MISC)
- https://github.com/juliangruber/brace-expansion/pull/96 (x_refsource_MISC)
- https://github.com/juliangruber/brace-expansion/pull/97 (x_refsource_MISC)
- https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5 (x_refsource_MISC)
- https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2 (x_refsource_MISC)
- https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a (x_refsource_MISC)
- https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113 (x_refsource_MISC)
- https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184 (x_refsource_MISC)
Frequently asked questions
- What is CVE-2026-33750?
- CVE-2026-33750 is a medium-severity vulnerability in Juliangruber Brace-expansion, classified under Uncontrolled Resource Consumption. CVSS score: 6.5/10. Published 2026-03-27.
- How severe is CVE-2026-33750?
- Medium severity. CVSS v3 base score is 6.5 out of 10.