CVE-2026-33750
Received Received - Intake
Infinite Loop and Memory Exhaustion in brace-expansion Library

Publication date: 2026-03-27

Last updated on: 2026-04-22

Assigner: GitHub, Inc.

Description
The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed to `expand()` to ensure a step value of `0` is not used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33750
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
juliangruber brace-expansion to 1.1.13 (exc)
juliangruber brace-expansion From 2.0.0 (inc) to 2.0.3 (exc)
juliangruber brace-expansion From 3.0.0 (inc) to 3.0.2 (exc)
juliangruber brace-expansion From 5.0.0 (inc) to 5.0.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33750 is a vulnerability in the brace-expansion library where a brace pattern with a zero step value (for example, `{1..2..0}`) causes the sequence generation loop to run indefinitely. This happens because the increment used in the loop is zero, so the loop variable never advances, resulting in an infinite loop.

This infinite loop causes the process to hang for several seconds and allocate a large amount of memory, potentially around 1.9 GB, before eventually throwing a RangeError. The issue affects versions prior to 5.0.5, 3.0.2, 2.0.3, and 1.1.13 of the brace-expansion library.

The vulnerability arises because the library does not properly handle a zero step value in brace expansions, leading to denial-of-service conditions due to excessive CPU and memory consumption.

The issue was fixed by ensuring the increment value is at least 1, preventing zero-step increments from causing infinite loops.

Compliance Impact

The vulnerability in the brace-expansion library causes a denial-of-service condition by making the process hang and consume excessive memory when a zero-step brace pattern is used. This can lead to service unavailability or degraded performance.

However, there is no information provided in the context or resources about direct impacts on compliance with common standards and regulations such as GDPR or HIPAA. The vulnerability does not involve data leakage, unauthorized access, or data integrity issues, but rather a denial-of-service risk.

Therefore, while the vulnerability could indirectly affect availability aspects of compliance frameworks that require system availability, there is no explicit mention or evidence that it directly affects compliance with GDPR, HIPAA, or similar regulations.

Impact Analysis

This vulnerability can impact you by causing denial-of-service (DoS) conditions in applications that use the vulnerable versions of the brace-expansion library.

If an attacker or malformed input provides a brace pattern with a zero step value, the process using the library can hang for several seconds and consume a large amount of memory, potentially exhausting system resources.

This can lead to application unresponsiveness, crashes, or degraded performance, affecting availability.

The vulnerability can be triggered remotely if the application processes untrusted input strings passed to the `expand()` function, including command-line arguments or configuration files.

Detection Guidance

This vulnerability manifests when the brace-expansion library processes a brace pattern with a zero step value (e.g., `{1..2..0}`), causing the process to hang and consume excessive memory. Detection can focus on identifying usage of vulnerable versions of the brace-expansion library prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13.

To detect if your system or application is vulnerable, you can check the installed version of the brace-expansion package in your environment. For example, if you use npm, run:

  • npm list brace-expansion

If the version is older than the fixed versions mentioned above, your system is potentially vulnerable.

Additionally, you can monitor for processes that hang or consume excessive memory when handling inputs containing brace expansions, especially those with patterns like `{1..2..0}`.

There are no specific network commands or signatures provided in the resources to detect exploitation attempts, but monitoring application logs or inputs for brace expansion patterns with zero step values can help.

Mitigation Strategies

The primary mitigation is to upgrade the brace-expansion library to a fixed version. The vulnerability is fixed in versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 of the brace-expansion package.

If upgrading immediately is not possible, sanitize any input strings passed to the `expand()` function to ensure that the step value in brace expansions is never zero. This prevents the infinite loop and memory exhaustion.

Specifically, ensure that any brace pattern like `{1..2..0}` is either rejected or transformed to use a minimum step value of 1.

Applying patches or backports described in the resources to your current version can also mitigate the issue if upgrading is not feasible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33750. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart