CVE-2026-25547

HIGH SEVERITY

Vulnerability Description

@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.

Vulnerability Details

Published Date

February 03, 2026

Last Modified

February 05, 2026

CWE ID

CWE-1333

Source

GitHub

Vendor

npm

Product

@isaacs/brace-expansion

External References

https://github.com/isaacs/brace-expansion/security/advisories/GHSA-7h2j-956f-4vf2
https://github.com/advisories/GHSA-7h2j-956f-4vf2

CVE-2026-25547

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment