Juliangruber Brace-Expansion vulnerabilities

CVE-2026-33750 [MEDIUM] CWE-400 CVE-2026-33750: The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2,

CVE-2025-5889 [LOW] CWE-400 CVE-2025-5889: A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has bee A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitati

CVE-2017-18077 [HIGH] CWE-1333 ReDoS in brace-expansion ReDoS in brace-expansion Affected versions of `brace-expansion` are vulnerable to a regular expression denial of service condition. ## Proof of Concept ``` var expand = require('brace-expansion'); expand('{,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n}'); ``` ## Recommendation Update to version 1.1.7 or later.