CVE-2026-13149: CWE-400 Uncontrolled Resource Consumption in juliangruber brace-expansion
The juliangruber brace-expansion library through version 5.0.6 contains a denial of service vulnerability due to uncontrolled resource consumption. The expand() function has exponential-time complexity when processing consecutive non-expanding '{}' brace groups, allowing crafted input to cause high CPU usage and event-loop blocking. The max option does not prevent this issue as it limits output size but not recursion work. No official patch or remediation has been confirmed yet.
AI Analysis
Technical Summary
CVE-2026-13149 describes a denial of service vulnerability in the juliangruber brace-expansion library up to version 5.0.6. The expand() function exhibits exponential-time complexity in the number of consecutive non-expanding '{}' brace groups, which can be exploited by an attacker supplying crafted strings to cause significant CPU consumption and block the event loop. The max option, which bounds output size, does not mitigate the underlying recursion and CPU usage. There is no vendor advisory or patch information available at this time, and the vulnerability is not related to cloud services.
Potential Impact
An attacker can cause denial of service by triggering high CPU consumption and event-loop blocking in applications using the vulnerable brace-expansion library. This can degrade or halt application responsiveness, impacting availability. There is no indication of privilege escalation, data disclosure, or integrity impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, avoid processing untrusted input with the expand() function or implement application-level timeouts or resource limits to mitigate potential denial of service.
CVE-2026-13149: CWE-400 Uncontrolled Resource Consumption in juliangruber brace-expansion
Description
The juliangruber brace-expansion library through version 5.0.6 contains a denial of service vulnerability due to uncontrolled resource consumption. The expand() function has exponential-time complexity when processing consecutive non-expanding '{}' brace groups, allowing crafted input to cause high CPU usage and event-loop blocking. The max option does not prevent this issue as it limits output size but not recursion work. No official patch or remediation has been confirmed yet.
CVSS v4.0
Score 7.7high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-13149 describes a denial of service vulnerability in the juliangruber brace-expansion library up to version 5.0.6. The expand() function exhibits exponential-time complexity in the number of consecutive non-expanding '{}' brace groups, which can be exploited by an attacker supplying crafted strings to cause significant CPU consumption and block the event loop. The max option, which bounds output size, does not mitigate the underlying recursion and CPU usage. There is no vendor advisory or patch information available at this time, and the vulnerability is not related to cloud services.
Potential Impact
An attacker can cause denial of service by triggering high CPU consumption and event-loop blocking in applications using the vulnerable brace-expansion library. This can degrade or halt application responsiveness, impacting availability. There is no indication of privilege escalation, data disclosure, or integrity impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, avoid processing untrusted input with the expand() function or implement application-level timeouts or resource limits to mitigate potential denial of service.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- seal
- Date Reserved
- 2026-06-24T10:17:07.027Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4391c127e9c7971986645c
Added to database: 06/30/2026, 09:52:01 UTC
Last enriched: 06/30/2026, 10:06:28 UTC
Last updated: 06/30/2026, 10:16:21 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.