CVE-2026-25547

@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.

CVSS

No CVSS.

References

Link	Resource
https://github.com/isaacs/brace-expansion/security/advisories/GHSA-7h2j-956f-4vf2

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) @isaacs/brace-expansion es una bifurcación de TypeScript híbrida CJS/ESM de brace-expansion. Antes de la versión 5.0.1, @isaacs/brace-expansion es vulnerable a un problema de denegación de servicio (DoS) causado por la expansión ilimitada de rangos de llaves. Cuando un atacante proporciona un patrón que contiene rangos de llaves numéricos repetidos, la librería intenta generar ávidamente cada combinación posible de forma síncrona. Debido a que la expansión crece exponencialmente, incluso una entrada pequeña puede consumir CPU y memoria excesivas y puede bloquear el proceso de Node.js. Este problema ha sido parcheado en la versión 5.0.1.

04 Feb 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-04 22:16

Updated : 2026-04-15 00:35

NVD link : CVE-2026-25547

Mitre link : CVE-2026-25547

CVE.ORG link : CVE-2026-25547

JSON object : View

Products Affected

No product.

CWE

CWE-1333

Inefficient Regular Expression Complexity

{"id": "CVE-2026-25547", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-04T22:16:00.813", "references": [{"url": "https://github.com/isaacs/brace-expansion/security/advisories/GHSA-7h2j-956f-4vf2", "source": "security-advisories@github.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-1333"}]}], "descriptions": [{"lang": "en", "value": "@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1."}, {"lang": "es", "value": "@isaacs/brace-expansion es una bifurcaci\u00f3n de TypeScript h\u00edbrida CJS/ESM de brace-expansion. Antes de la versi\u00f3n 5.0.1, @isaacs/brace-expansion es vulnerable a un problema de denegaci\u00f3n de servicio (DoS) causado por la expansi\u00f3n ilimitada de rangos de llaves. Cuando un atacante proporciona un patr\u00f3n que contiene rangos de llaves num\u00e9ricos repetidos, la librer\u00eda intenta generar \u00e1vidamente cada combinaci\u00f3n posible de forma s\u00edncrona. Debido a que la expansi\u00f3n crece exponencialmente, incluso una entrada peque\u00f1a puede consumir CPU y memoria excesivas y puede bloquear el proceso de Node.js. Este problema ha sido parcheado en la versi\u00f3n 5.0.1."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "security-advisories@github.com"}