CVE-2026-25547Regex Denial of Service in Brace-expansion

CWE-1333Regex Denial of ServiceCWE-409Improper Handling of Highly Compressed Data (Data Amplification)8 documents7 sources
Severity
9.2CRITICALNVD
EPSS
0.0%
top 94.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Isaacs Brace-expansionDebian Node-brace-expansion
Timeline
PublishedFeb 4

Description

@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the No

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Affected Packages3 packages

debiandebian/node-brace-expansion< node-brace-expansion 2.0.3+~1.1.2-2 (forky)
CVEListV5isaacs/brace-expansion< 5.0.1

🔴Vulnerability Details

3
OSV
CVE-2026-25547: @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion2026-02-04
GHSA
@isaacs/brace-expansion has Uncontrolled Resource Consumption2026-02-03
OSV
@isaacs/brace-expansion has Uncontrolled Resource Consumption2026-02-03

📋Vendor Advisories

2
Red Hat
brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion2026-02-04
Debian
CVE-2026-25547: node-brace-expansion - @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. ...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-25547 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-25547 brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion2026-02-04