CVE-2026-45149: CWE-400: Uncontrolled Resource Consumption in juliangruber brace-expansion
The brace-expansion library generates arbitrary strings containing a common prefix and suffix. From 5.0.0 to before 5.0.6, the max option was being applied too late. When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 million intermediate elements before the max limit is applied With max=10, the output is correctly limited to 10 items, but the process still allocates ~505 MB and spends ~800ms building the full intermediate array. This vulnerability is fixed in 5.0.6.
AI Analysis
Technical Summary
The brace-expansion library generates strings with common prefixes and suffixes. In versions 5.0.0 up to but not including 5.0.6, when expanding large numeric ranges such as {1..10000000}, the max option intended to limit output size is applied only after generating the entire sequence. This causes the library to allocate approximately 505 MB of memory and spend around 800 milliseconds building the full intermediate array before truncation, resulting in uncontrolled resource consumption (CWE-400). The vulnerability is addressed in version 5.0.6.
Potential Impact
This vulnerability can cause high resource consumption (memory and CPU) during expansion of large numeric ranges, potentially leading to denial of service conditions in applications using affected versions of the brace-expansion library. There is no impact on confidentiality or integrity, only availability is affected.
Mitigation Recommendations
Upgrade to brace-expansion version 5.0.6 or later, where this issue is fixed. Patch status is not explicitly stated in the vendor advisory, but the description confirms the vulnerability is resolved in 5.0.6. Until upgrading, avoid expanding very large numeric ranges with the max option as a temporary mitigation.
CVE-2026-45149: CWE-400: Uncontrolled Resource Consumption in juliangruber brace-expansion
Description
The brace-expansion library generates arbitrary strings containing a common prefix and suffix. From 5.0.0 to before 5.0.6, the max option was being applied too late. When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 million intermediate elements before the max limit is applied With max=10, the output is correctly limited to 10 items, but the process still allocates ~505 MB and spends ~800ms building the full intermediate array. This vulnerability is fixed in 5.0.6.
CVSS v3.1
Score 6.5medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The brace-expansion library generates strings with common prefixes and suffixes. In versions 5.0.0 up to but not including 5.0.6, when expanding large numeric ranges such as {1..10000000}, the max option intended to limit output size is applied only after generating the entire sequence. This causes the library to allocate approximately 505 MB of memory and spend around 800 milliseconds building the full intermediate array before truncation, resulting in uncontrolled resource consumption (CWE-400). The vulnerability is addressed in version 5.0.6.
Potential Impact
This vulnerability can cause high resource consumption (memory and CPU) during expansion of large numeric ranges, potentially leading to denial of service conditions in applications using affected versions of the brace-expansion library. There is no impact on confidentiality or integrity, only availability is affected.
Mitigation Recommendations
Upgrade to brace-expansion version 5.0.6 or later, where this issue is fixed. Patch status is not explicitly stated in the vendor advisory, but the description confirms the vulnerability is resolved in 5.0.6. Until upgrading, avoid expanding very large numeric ranges with the max option as a temporary mitigation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-08T20:44:38.964Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Gcve Source
- db.gcve.eu
Threat ID: 6a19feb5e29bf47b500fc5f8
Added to database: 5/29/2026, 9:01:41 PM
Last enriched: 5/29/2026, 9:05:24 PM
Last updated: 5/31/2026, 4:53:48 AM
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.