Denial of Service due to exponential-time complexity
Summary
brace-expansion through 5.0.6 is vulnerable to denial of service. The expand() function exhibits exponential-time complexity in the number of consecutive non-expanding '{}' brace groups. An attacker who passes a crafted string to expand(), directly or transitively, can cause significant CPU consumption and event-loop blocking. The max option does not mitigate this, as it bounds the output size rather than the recursion work. A flaw was found in brace-expansion. An attacker can exploit a vulnerability in the `expand()` function by providing a specially crafted string. This string, containing consecutive non-expanding brace groups, can trigger exponential-time complexity, leading to significant CPU consumption and event-loop blocking. This can result in a Denial of Service (DoS) for the affected system. A flaw was found in brace-expansion, a widely-used npm package for expanding brace sequences. The expand() function exhibits exponential-time complexity when processing consecutive non-expanding brace groups. An attacker who can supply crafted input to expand(), directly or transitively via minimatch or glob, can cause significant CPU consumption and event-loop blocking, resulting in denial of service. The max option does not mitigate this issue, as it bounds the output size rather than the recursion work. Red Hat severity: Important — CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Weakness: CWE-1333. Fixed by RHSA-2026:33866, RHSA-2026:34478, RHSA-2026:35272 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images. Will not fix / out of support: OpenShift Service Mesh 2; Red Hat Fuse 7; Red Hat Hardened Images.
- nodejs26-main-26.4.0-1.3.hum1
- nodejs22-main-22.23.1-2.hum1
- nodejs24-main-24.18.0-0.2.hum1
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
- nodejs26-main-26.4.0-1.3.hum1
- nodejs24-main-24.18.0-0.2.hum1
- nodejs22-main-22.23.1-2.hum1
- RHSA-2026:33866
- RHSA-2026:34478
- RHSA-2026:35272
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
Mitigation checklist
- There is no practical mitigation for this vulnerability. The brace-expansion package is typically a transitive dependency pulled in via minimatch and glob, making it difficult to isolate. Users should upgrade to a fixed version of brace-expansion when one becomes available.
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.