Fluid Attacks Database

Description

@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	node-brace-expansion	=2.0.1+~1.1.0-1 \|\| =2.0.1+~1.1.0-2 \|\| =2.0.1-2 \|\| =2.0.3+~1.1.2-1 \|\| =2.0.3+~1.1.2-2	-
debian 14	node-brace-expansion	=2.0.1+~1.1.0-2 \|\| =2.0.3+~1.1.2-1 \|\| >=0 <2.0.3+~1.1.2-2	2.0.3+~1.1.2-2
debian 11	node-brace-expansion	=2.0.0-1 \|\| =2.0.1+~1.1.0-1 \|\| =2.0.1+~1.1.0-2 \|\| =2.0.1-1 \|\| =2.0.1-2 \|\| =2.0.3+~1.1.2-1 \|\| =2.0.3+~1.1.2-2	-
debian 13	node-brace-expansion	=2.0.1+~1.1.0-2 \|\| =2.0.3+~1.1.2-1 \|\| =2.0.3+~1.1.2-2	-
npm	@isaacs/brace-expansion	>=0 <5.0.1	5.0.1
rpm rhel10	nodejs22	<1:22.22.2-1.el10_1	1:22.22.2-1.el10_1
rpm rhel9	nodejs	-	-
rpm rhel8	grafana	-	-
rpm rhel9	nodejs-nodemon	-	-
rpm rhel9	gjs	-	-

1-10 of 21

Aliases

1. CVE-2026-255472. NVD-2026-255473. OSV-DEBIAN-2026-255474. OSV-2026-255475. GHSA-7h2j-956f-4vf26. GCVE-2026-255477. SECURITY-TRACKER-CVE-2026-25547

References

1. https://github.com/isaacs/brace-expansion/security/advisories/GHSA-7h2j-956f-4vf2

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.