@isaacs/brace-expansion, Denial of Service, CVE Not Specified (Critical)

Listen to this Post

The vulnerability in the @isaacs/brace-expansion Node.js library is a Denial of Service (DoS) caused by unbounded brace range expansion. When processing user input, the library expands brace expressions eagerly and synchronously without imposing any upper bound on the number of generated combinations. An attacker can submit a pattern containing repeated numeric ranges, such as ‘{0..99}{0..99}{0..99}{0..99}{0..99}’. This pattern instructs the library to produce every possible combination of the specified ranges. Mathematically, this results in exponential growth; for example, five ranges of 0..99 yield 100^5 or 10 billion combinations. The library attempts to generate all these combinations in memory at once, consuming massive amounts of CPU and heap memory. This process blocks the Node.js event loop completely. The lack of any complexity limit or asynchronous yielding means even a small, malicious payload can trigger this computation. Consequently, the Node.js process rapidly exhausts available resources, leading to a fatal JavaScript heap out of memory error and causing the application to crash. This provides a straightforward path for an unauthenticated attacker to deny service with a single request.
Platform: @isaacs/brace-expansion
Version: Not specified
Vulnerability: Denial of Service
Severity: Critical
date: Not provided

Prediction: Patch date unknown

What Undercode Say:

Analytics

Bash commands and code from the

cat > poc.js << 'EOF'
const { expand } = require('@isaacs/brace-expansion');
const pattern = '{0..99}{0..99}{0..99}{0..99}{0..99}';
console.log('Starting expansion...');
expand(pattern);
EOF
node poc.js

how Exploit:

Use provided PoC.

Protection from this CVE

Update library version.

Impact:

Process crash DoS.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top