CVE-2026-25547 identifies a critical denial of service vulnerability in the @isaacs/brace-expansion library, a hybrid CommonJS/ESM TypeScript fork used for brace expansion in JavaScript and Node.js environments. The vulnerability stems from inefficient regular expression complexity related to unbounded numeric brace range expansions. When an attacker supplies a pattern containing repeated numeric brace ranges, the library attempts to synchronously generate every possible combination. Because the number of combinations grows exponentially with the input size, even small crafted inputs can cause excessive CPU and memory usage, leading to process crashes or severe performance degradation. This flaw does not require any privileges, user interaction, or authentication, making it trivially exploitable remotely if the vulnerable library is exposed to attacker-controlled input. The vulnerability affects all versions prior to 5.0.1, where the issue has been patched. The CVSS v4.0 score is 9.2 (critical), reflecting the high impact on availability and ease of exploitation. No known exploits in the wild have been reported yet, but the potential for denial of service attacks is significant, especially in server-side Node.js applications that rely on this library for pattern expansion tasks.

For European organizations, the primary impact is denial of service, which can disrupt critical Node.js-based services, web applications, and backend systems that depend on the vulnerable @isaacs/brace-expansion library. This can lead to downtime, degraded user experience, and potential financial losses due to service unavailability. Organizations in sectors such as finance, e-commerce, telecommunications, and public services that use Node.js extensively are particularly at risk. The vulnerability could be exploited remotely without authentication, increasing the attack surface. Additionally, indirect dependencies on the vulnerable library through other npm packages can widen the scope of affected systems. The resulting service interruptions may also impact compliance with European regulations on service availability and data protection, potentially leading to reputational damage and regulatory penalties.

The most effective mitigation is to upgrade all instances of @isaacs/brace-expansion to version 5.0.1 or later, where the vulnerability is fixed. Organizations should perform a thorough dependency audit using tools like npm audit, Snyk, or Dependabot to identify direct and transitive dependencies on vulnerable versions. For applications where immediate upgrade is not feasible, implementing input validation and sanitization to restrict or reject patterns containing repeated numeric brace ranges can reduce risk. Monitoring application performance and resource usage can help detect exploitation attempts early. Additionally, applying runtime protections such as CPU and memory usage limits for Node.js processes can mitigate the impact of potential attacks. Finally, organizations should keep abreast of updates from package maintainers and security advisories to promptly address any emerging threats related to this vulnerability.