PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45149 juliangruber CVE debrief

A vulnerability in the brace-expansion library (versions 5.0.0 to before 5.0.6) allows uncontrolled resource consumption when processing large numeric range patterns. The library's max option, intended to limit output size, is applied too late in the expansion process. When expanding a pattern like {1..10000000}, the library generates all 10 million intermediate elements before enforcing the limit, causing approximately 505 MB of memory allocation and ~800ms of processing time even when max=10 is configured. This represents a denial-of-service vector through resource exhaustion. The vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption) and has been remediated in version 5.0.6.

Vendor
juliangruber
Product
brace-expansion
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-29
Original CVE updated
2026-05-29
Advisory published
2026-05-29
Advisory updated
2026-05-29

Who should care

Developers using brace-expansion with untrusted user input; DevOps teams monitoring for resource exhaustion attacks; security teams assessing supply chain risk in JavaScript/Node.js applications

Technical summary

The brace-expansion library's max option fails to short-circuit large numeric range generation, causing full intermediate array allocation before limit enforcement. Affected versions 5.0.0-5.0.5. Fixed in 5.0.6.

Defensive priority

medium

Recommended defensive actions

  • Upgrade brace-expansion to version 5.0.6 or later
  • Review applications accepting user-supplied brace expansion patterns for potential DoS exposure
  • Implement input validation to restrict range sizes before passing to brace-expansion
  • Monitor for unusual memory consumption in services using brace-expansion with untrusted input

Evidence notes

Vulnerability description and affected version range derived from official CVE record and GitHub Security Advisory. CVSS 3.1 vector confirms network attack vector with low attack complexity. Fix version 5.0.6 confirmed in advisory.

Official resources

2026-05-29