brace-expansion, Denial of Service (DoS), CVE-2026-45149 (Moderate)

Listen to this Post

How CVE-2026-45149 works:

The brace-expansion Node.js library provides brace expansion similar to bash. It accepts a `max` option to cap the number of expanded items. The vulnerability arises when expanding a single large numeric range (e.g., {1..10000000}). The `max` check is applied after the entire sequence has been generated, not during the generation loop. Consequently, even with max=10, the loop still iterates 10 million times, building a full intermediate array. This allocates roughly 505 MB of memory and consumes about 800 ms of CPU time. The `max` limit is enforced only at the output combination step, which is too late to prevent the resource-heavy generation. The issue affects versions 5.0.0 through 5.0.5. Version 5.0.6 fixes it by moving the `max` check earlier in the loop, stopping further expansion once the limit is reached. An attacker can provide a crafted brace pattern with an enormous range to exhaust memory and CPU, causing a denial of service.

dailycve form:

Platform: brace-expansion
Version: Versions 5.0.0-5.0.5
Vulnerability: max bypass DoS
Severity: Moderate
date: May 18 2026

Prediction: Patch available now

What Undercode Say:

Analytics:

Check current version
npm list brace-expansion
Update to patched version
npm install [email protected]
Verify patch
npm list brace-expansion | grep 5.0.6
Proof of concept (Node.js)
node -e "const expand = require('brace-expansion'); console.time('expand'); expand('{1..10000000}', {max:10}); console.timeEnd('expand'); console.log('Memory:', process.memoryUsage().heapUsed / 1024 / 1024, 'MB')"

Exploit:

// Attack payload: large numeric range with max bypass
const expand = require('brace-expansion');
expand('{1..10000000}', { max: 10 }); // Still allocates ~505 MB

HTTP server vulnerable to DoS:

const http = require('http');
const expand = require('brace-expansion');
http.createServer((req, res) => {
const pattern = req.url.slice(1); // e.g., /{1..10000000}
expand(pattern, { max: 10 }); // Triggers heavy allocation
res.end('done');
}).listen(3000);

Protection from this CVE:

  • Upgrade to `[email protected]` or later.
  • Validate input patterns; reject overly large ranges.
  • Use a wrapper with a timeout for expansion.
  • Limit the length of the input string.
  • Apply a process-level memory limit (e.g., --max-old-space-size).

Impact:

  • Denial of service via memory exhaustion (up to 505 MB per request).
  • High CPU consumption (≈800 ms per expansion).
  • Application unresponsiveness or crash under repeated attacks.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top