CVE-2026-25547 identifies a denial of service vulnerability in the @isaacs/brace-expansion library, a widely used JavaScript/TypeScript package for expanding brace patterns. The vulnerability stems from inefficient regular expression complexity related to unbounded numeric brace range expansions. When an attacker supplies a specially crafted input containing repeated numeric brace ranges, the library attempts to synchronously generate every possible combination. Because the number of combinations grows exponentially with the number of ranges, even small inputs can cause the process to consume excessive CPU and memory resources. This resource exhaustion can lead to crashes or hangs of Node.js processes that incorporate the vulnerable library, resulting in denial of service. The vulnerability requires no authentication or user interaction and can be triggered remotely if the application processes untrusted input through this library. The issue affects all versions of @isaacs/brace-expansion prior to 5.0.1, where the problem has been fixed. The CVSS 4.0 score of 9.2 reflects the critical impact on availability and the ease of exploitation. Although no known exploits are currently observed in the wild, the vulnerability poses a significant risk to applications that rely on this package for pattern expansion, including web servers, build tools, and automation scripts. The vulnerability is classified under CWE-1333, which relates to inefficient regular expression complexity leading to denial of service.

For European organizations, this vulnerability can cause significant disruption to services that depend on Node.js applications using the vulnerable @isaacs/brace-expansion library. Denial of service attacks exploiting this issue can lead to application crashes, degraded performance, and potential downtime, impacting business continuity and user experience. Organizations in sectors such as finance, e-commerce, telecommunications, and government services that rely on Node.js-based infrastructure are particularly at risk. The vulnerability could be exploited remotely without authentication, increasing the attack surface. Additionally, supply chain risks exist if third-party dependencies or internal tools incorporate the vulnerable library. The impact extends to cloud-hosted services and on-premises deployments alike, potentially affecting critical services and causing reputational damage. Given the critical CVSS score, the vulnerability demands urgent remediation to prevent exploitation and maintain service availability.

European organizations should immediately audit their software dependencies to identify usage of @isaacs/brace-expansion versions prior to 5.0.1, including indirect dependencies pulled in by other packages. Upgrading all instances of the library to version 5.0.1 or later is the primary mitigation step. Organizations should implement dependency management tools that enforce version policies and monitor for vulnerable packages. Additionally, input validation and sanitization should be applied to any user-supplied patterns processed by the library to limit the complexity and size of brace expansions. Rate limiting and resource usage monitoring can help detect and mitigate denial of service attempts. For critical production environments, consider isolating services that process untrusted input or running them with resource constraints to prevent system-wide impact. Regularly update Node.js and related dependencies to incorporate security patches. Finally, incorporate this vulnerability into incident response and threat modeling exercises to prepare for potential exploitation scenarios.