Listen to this Post
The vulnerability in the @isaacs/brace-expansion Node.js library is a Denial of Service (DoS) caused by unbounded brace range expansion. When processing user input, the library expands brace expressions eagerly and synchronously without imposing any upper bound on the number of generated combinations. An attacker can submit a pattern containing repeated numeric ranges, such as ‘{0..99}{0..99}{0..99}{0..99}{0..99}’. This pattern instructs the library to produce every possible combination of the specified ranges. Mathematically, this results in exponential growth; for example, five ranges of 0..99 yield 100^5 or 10 billion combinations. The library attempts to generate all these combinations in memory at once, consuming massive amounts of CPU and heap memory. This process blocks the Node.js event loop completely. The lack of any complexity limit or asynchronous yielding means even a small, malicious payload can trigger this computation. Consequently, the Node.js process rapidly exhausts available resources, leading to a fatal JavaScript heap out of memory error and causing the application to crash. This provides a straightforward path for an unauthenticated attacker to deny service with a single request.
Platform: @isaacs/brace-expansion
Version: Not specified
Vulnerability: Denial of Service
Severity: Critical
date: Not provided
Prediction: Patch date unknown
What Undercode Say:
Analytics
Bash commands and code from the
cat > poc.js << 'EOF'
const { expand } = require('@isaacs/brace-expansion');
const pattern = '{0..99}{0..99}{0..99}{0..99}{0..99}';
console.log('Starting expansion...');
expand(pattern);
EOF
node poc.js
how Exploit:
Use provided PoC.
Protection from this CVE
Update library version.
Impact:
Process crash DoS.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

