CVE-2026-33750: CWE-400: Uncontrolled Resource Consumption in juliangruber brace-expansion
The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed to `expand()` to ensure a step value of `0` is not used.
AI Analysis
Technical Summary
The juliangruber brace-expansion library is used to generate arbitrary strings based on brace patterns with common prefixes and suffixes. Versions prior to 5.0.5, 3.0.2, 2.0.3, and 1.1.13 contain a vulnerability (CVE-2026-33750) where a brace pattern specifying a zero step value (e.g., {1..2..0}) causes the sequence generation loop to run indefinitely. This infinite loop leads to uncontrolled resource consumption, including prolonged CPU usage and large memory allocations, effectively causing the process to hang or crash due to resource exhaustion. The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption). The flaw can be triggered by passing maliciously crafted input strings to the expand() function of the library. The CVSS 3.1 base score is 6.5 (medium severity), reflecting that the attack vector is network accessible, requires no privileges, but does require user interaction. The impact is limited to availability, with no confidentiality or integrity loss. The issue is fixed in versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13. No public exploits have been reported yet. As a workaround, input validation to reject zero step values can prevent exploitation.
Potential Impact
This vulnerability can cause denial-of-service conditions in applications using the affected brace-expansion library versions by making processes hang or consume excessive memory and CPU resources. For organizations, this can lead to degraded service availability, increased operational costs due to resource exhaustion, and potential cascading failures in dependent systems. Since the library is commonly used in Node.js projects for string pattern expansion, web applications, build tools, and automation scripts may be impacted. Attackers can exploit this by supplying crafted input to trigger the infinite loop, potentially disrupting services or causing application crashes. Although no direct data breach or integrity compromise occurs, the availability impact can affect business continuity, user experience, and system reliability.
Mitigation Recommendations
1. Upgrade all instances of the juliangruber brace-expansion library to versions 5.0.5, 3.0.2, 2.0.3, or 1.1.13 or later, depending on the major version in use. 2. Implement input validation and sanitization to detect and reject brace patterns with zero step values before passing them to the expand() function. 3. Employ runtime monitoring and resource usage limits (e.g., CPU and memory quotas) on processes that use this library to detect and mitigate potential hangs or resource exhaustion. 4. Review and audit all code paths that utilize brace-expansion to ensure no untrusted input can reach the vulnerable function without validation. 5. Incorporate fuzz testing or static analysis tools to detect similar uncontrolled resource consumption patterns in dependencies. 6. Educate developers about the risks of uncontrolled resource consumption vulnerabilities and encourage secure coding practices when handling user input.
Affected Countries
United States, Germany, United Kingdom, India, China, Japan, Canada, Australia, France, Netherlands
CVE-2026-33750: CWE-400: Uncontrolled Resource Consumption in juliangruber brace-expansion
Description
The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed to `expand()` to ensure a step value of `0` is not used.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The juliangruber brace-expansion library is used to generate arbitrary strings based on brace patterns with common prefixes and suffixes. Versions prior to 5.0.5, 3.0.2, 2.0.3, and 1.1.13 contain a vulnerability (CVE-2026-33750) where a brace pattern specifying a zero step value (e.g., {1..2..0}) causes the sequence generation loop to run indefinitely. This infinite loop leads to uncontrolled resource consumption, including prolonged CPU usage and large memory allocations, effectively causing the process to hang or crash due to resource exhaustion. The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption). The flaw can be triggered by passing maliciously crafted input strings to the expand() function of the library. The CVSS 3.1 base score is 6.5 (medium severity), reflecting that the attack vector is network accessible, requires no privileges, but does require user interaction. The impact is limited to availability, with no confidentiality or integrity loss. The issue is fixed in versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13. No public exploits have been reported yet. As a workaround, input validation to reject zero step values can prevent exploitation.
Potential Impact
This vulnerability can cause denial-of-service conditions in applications using the affected brace-expansion library versions by making processes hang or consume excessive memory and CPU resources. For organizations, this can lead to degraded service availability, increased operational costs due to resource exhaustion, and potential cascading failures in dependent systems. Since the library is commonly used in Node.js projects for string pattern expansion, web applications, build tools, and automation scripts may be impacted. Attackers can exploit this by supplying crafted input to trigger the infinite loop, potentially disrupting services or causing application crashes. Although no direct data breach or integrity compromise occurs, the availability impact can affect business continuity, user experience, and system reliability.
Mitigation Recommendations
1. Upgrade all instances of the juliangruber brace-expansion library to versions 5.0.5, 3.0.2, 2.0.3, or 1.1.13 or later, depending on the major version in use. 2. Implement input validation and sanitization to detect and reject brace patterns with zero step values before passing them to the expand() function. 3. Employ runtime monitoring and resource usage limits (e.g., CPU and memory quotas) on processes that use this library to detect and mitigate potential hangs or resource exhaustion. 4. Review and audit all code paths that utilize brace-expansion to ensure no untrusted input can reach the vulnerable function without validation. 5. Incorporate fuzz testing or static analysis tools to detect similar uncontrolled resource consumption patterns in dependencies. 6. Educate developers about the risks of uncontrolled resource consumption vulnerabilities and encourage secure coding practices when handling user input.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-23T18:30:14.124Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c6949b3c064ed76fb5b747
Added to database: 3/27/2026, 2:30:51 PM
Last enriched: 3/27/2026, 2:48:20 PM
Last updated: 3/28/2026, 1:44:54 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.