CVE-2026-13149 in brace-expansioninfo

Summary

by MITRE • 06/30/2026

brace-expansion through 5.0.6 is vulnerable to denial of service. The expand() function exhibits exponential-time complexity in the number of consecutive non-expanding '{}' brace groups. An attacker who passes a crafted string to expand(), directly or transitively, can cause significant CPU consumption and event-loop blocking. The max option does not mitigate this, as it bounds the output size rather than the recursion work.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 06/30/2026

The brace-expansion library version 5.0.6 contains a critical denial of service vulnerability that stems from its expand() function implementation. This flaw manifests as exponential-time complexity when processing consecutive non-expanding brace groups enclosed in curly braces. The vulnerability operates at the core of the library's string expansion algorithm, where each additional brace group exponentially increases computational requirements. When an attacker crafts malicious input containing multiple nested or sequential brace patterns that cannot be expanded, the function enters a recursive processing loop that grows factorially rather than linearly, creating a severe performance degradation scenario.

The technical implementation of this vulnerability demonstrates poor algorithmic design principles that violate fundamental security practices. The expand() function processes brace patterns through recursive expansion mechanisms without proper input validation or computational bounds checking. Each brace group that fails to produce expansion results triggers additional recursive calls, leading to combinatorial explosion in processing time. This behavior directly relates to CWE-1333 which covers inefficient algorithms and CWE-400 which addresses resource exhaustion vulnerabilities. The exponential complexity can be measured as O(n!) where n represents the number of consecutive brace groups, making even moderately sized inputs capable of causing significant system strain.

The operational impact of this vulnerability extends beyond simple performance degradation to potentially catastrophic system instability. When an attacker exploits this flaw through direct or indirect calls to expand(), the event loop becomes blocked for extended periods, effectively rendering the application unresponsive to legitimate requests. This blocking behavior particularly affects Node.js applications where single-threaded event loops are fundamental to operation. The max option parameter fails to provide adequate protection because it only limits output size constraints rather than addressing the underlying computational complexity issue in the recursion process. This misconfiguration demonstrates a fundamental misunderstanding of how denial of service attacks can be constructed against algorithmic implementations.

Mitigation strategies for this vulnerability require multiple layers of defense to protect against exploitation. The most effective immediate solution involves upgrading to a patched version of the brace-expansion library where the exponential expansion behavior has been eliminated through algorithmic improvements or input sanitization. Applications should implement strict input validation and length limits on all user-supplied strings passed to expand() functions, particularly in web applications where user input is common. Network-level protections such as rate limiting and request timeouts can help detect and prevent exploitation attempts. Additionally, implementing circuit breaker patterns around brace expansion operations provides graceful degradation when system resources become constrained. The vulnerability highlights the importance of applying security patches promptly and demonstrates how seemingly benign library functions can create critical attack vectors when algorithmic complexity is not properly managed according to ATT&CK technique T1496 which covers resource exhaustion attacks.

Responsible

Seal

Reservation

06/24/2026

Disclosure

06/30/2026

Moderation

accepted

CPE

ready

EPSS

0.00361

KEV

no

Activities

low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!