CVE-2026-45149
Description
The brace-expansion library generates arbitrary strings containing a common prefix and suffix. From 5.0.0 to before 5.0.6, the max option was being applied too late. When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 million intermediate elements before the max limit is applied With max=10, the output is correctly limited to 10 items, but the process still allocates ~505 MB and spends ~800ms building the full intermediate array. This vulnerability is fixed in 5.0.6.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
CVE-2026-45149 NameCVE-2026-45149 DescriptionThe brace-expansion library generates arbitrary strings containing a common prefix and suffix. From 5.0.0 to before 5.0.6, the max option was being applied too late. When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 million intermediate elements before the max limit is applied With max=10, theβ¦
CVE-2026-45149
| Name | CVE-2026-45149 |
| Description | The brace-expansion library generates arbitrary strings containing a common prefix and suffix. From 5.0.0 to before 5.0.6, the max option was being applied too late. When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 million intermediate elements before the max limit is applied With max=10, the output is correctly limited to 10 items, but the process still allocates ~505 MB and spends ~800ms building the full intermediate array. This vulnerability is fixed in 5.0.6. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| node-brace-expansion (PTS) | bullseye | 2.0.0-1 | vulnerable |
| bookworm | 2.0.1-2 | vulnerable | |
| trixie | 2.0.1+~1.1.0-2 | vulnerable | |
| forky, sid | 2.0.3+~1.1.2-2 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| node-brace-expansion | source | (unstable) | (unfixed) |
Notes
https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-jxxr-4gwj-5jf2
check afffected versions
Apply commands
https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-jxxr-4gwj-5jf2check afffected versionsOS impact
Debian Affected 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Affected | β |
| sid | Affected | β |
| forky | Affected | β |
| bullseye | Affected | β |
| bookworm | Affected | β |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| npm | brace-expansion | >=5.0.0,<5.0.6 | 5.0.6 |
| NPM | brace-expansion | >= 5.0.0, < 5.0.6 | 5.0.6 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| juliangruber | brace-expansion | {"startIncluding":"5.0.0","endIncluding":"5.0.6"} | |
References
- https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-jxxr-4gwj-5jf2
- https://github.com/juliangruber/brace-expansion/commit/c0b095bdc52bc4c36dc88deddbadabc49f8371e5
- https://github.com/juliangruber/brace-expansion
- https://github.com/advisories/GHSA-jxxr-4gwj-5jf2
- https://security-tracker.debian.org/tracker/CVE-2026-45149
CWEs
CWE-400
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.