CVE-2026-25547

Uncontrolled Resource Consumption in @isaacs/brace-expansion

Assigner: GitHub_M
Reserved: 02.02.2026 Published: 04.02.2026 Updated: 05.02.2026

@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
CVSS Score: 9.2

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	High	Availability	High
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	isaacs
Product	brace-expansion
Versions	Version < 5.0.1 is affected

Vendor

isaacs

Product

brace-expansion

Versions

Version < 5.0.1 is affected

References

Problem Types

CWE-1333: Inefficient Regular Expression Complexity CWE

CVE-2026-25547 PUBLISHED

Uncontrolled Resource Consumption in @isaacs/brace-expansion

Metrics

Product Status

References

Problem Types