CVE-2026-25547 in brace-expansion
Summary
by MITRE • 02/05/2026
@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/18/2026
The vulnerability identified as CVE-2026-25547 affects the @isaacs/brace-expansion library, a widely used JavaScript utility for expanding brace expressions that supports both CommonJS and ES Module formats. This library serves as a foundational component in many Node.js applications and build tools, making its security implications particularly significant. The issue manifests in versions prior to 5.0.1 where the library fails to implement proper bounds checking during brace expansion operations, creating a potential denial of service vector that can be exploited by malicious actors through crafted input patterns.
The technical flaw resides in the library's approach to handling brace expansion patterns containing repeated numeric ranges. When processing such patterns, the library attempts to eagerly compute all possible combinations synchronously without implementing any form of resource limiting or exponential growth prevention. This behavior directly violates the principle of bounded resource consumption that is fundamental to secure software design. The vulnerability is classified as a denial of service condition where the computational complexity grows exponentially with input size, meaning that even seemingly innocuous inputs can trigger massive resource consumption. The library's synchronous nature exacerbates the issue as it blocks the Node.js event loop, preventing other operations from executing until the expansion completes or the process crashes due to resource exhaustion.
From an operational perspective, this vulnerability presents a serious risk to applications that accept user input or external data patterns that could be processed through the brace expansion functionality. Attackers can craft malicious patterns that cause the application to consume excessive CPU cycles and memory resources, potentially leading to complete service unavailability. The impact extends beyond individual applications to affect entire systems that rely on this library, as a single vulnerable endpoint could bring down a server or application instance. This vulnerability aligns with CWE-400 which specifically addresses unchecked resource consumption, and represents a classic example of how seemingly benign string processing operations can become security threats when exponential complexity is not properly managed. The issue also maps to ATT&CK technique T1499.004 which covers network denial of service attacks through resource exhaustion.
Mitigation strategies for this vulnerability require immediate attention from system administrators and developers. The primary and most effective solution is to upgrade to version 5.0.1 or later where the issue has been patched. Organizations should implement comprehensive dependency scanning processes to identify all instances of this library within their codebases and ensure timely updates. Additional protective measures include implementing input validation and sanitization at application boundaries, setting resource limits and timeouts for processing operations, and employing monitoring systems to detect unusual resource consumption patterns that might indicate exploitation attempts. Security teams should also consider implementing network-level protections and rate limiting to prevent abuse of vulnerable endpoints while the upgrade process is underway. The fix implemented in version 5.0.1 demonstrates proper resource management through bounded expansion algorithms that prevent exponential growth and maintain predictable resource consumption characteristics.