CVE-2026-33750 — Uncontrolled Resource Consumption in Brace-expansion

CWE-400 — Uncontrolled Resource Consumption CWE-606 — Unchecked Input for Loop Condition11 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 81.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Juliangruber Brace-expansion Debian Node-brace-expansion

Timeline

PublishedMar 27

Description

The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed to `expand()` to ensure a step value of `0` is not used.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/node-brace-expansion< node-brace-expansion 2.0.3+~1.1.2-1 (forky)

▶CVEListV5juliangruber/brace-expansion< 1.1.13+3

▶npmjuliangruber/brace-expansion4.0.0 — 5.0.5+3

🔴Vulnerability Details

OSV

CVE-2026-33750: The brace-expansion library generates arbitrary strings containing a common prefix and suffix↗2026-03-27

▶

GHSA

brace-expansion: Zero-step sequence causes process hang and memory exhaustion↗2026-03-26

▶

OSV

brace-expansion: Zero-step sequence causes process hang and memory exhaustion↗2026-03-26

▶

📋Vendor Advisories

Red Hat

brace-expansion: brace-expansion: Denial of Service via zero step value in brace pattern↗2026-03-27

▶

Debian

CVE-2026-33750: node-brace-expansion - The brace-expansion library generates arbitrary strings containing a common pref...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2025-59465 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2025-59466 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2025-55131 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-33750 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-21637 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶