CVE-2026-33750
Infinite Loop and Memory Exhaustion in brace-expansion Library
Publication date: 2026-03-27
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| juliangruber | brace-expansion | to 1.1.13 (exc) |
| juliangruber | brace-expansion | From 2.0.0 (inc) to 2.0.3 (exc) |
| juliangruber | brace-expansion | From 3.0.0 (inc) to 3.0.2 (exc) |
| juliangruber | brace-expansion | From 5.0.0 (inc) to 5.0.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the brace-expansion library causes a denial-of-service condition by making the process hang and consume excessive memory when a zero-step brace pattern is used. This can lead to service unavailability or degraded performance.
However, there is no information provided in the context or resources about direct impacts on compliance with common standards and regulations such as GDPR or HIPAA. The vulnerability does not involve data leakage, unauthorized access, or data integrity issues, but rather a denial-of-service risk.
Therefore, while the vulnerability could indirectly affect availability aspects of compliance frameworks that require system availability, there is no explicit mention or evidence that it directly affects compliance with GDPR, HIPAA, or similar regulations.
Can you explain this vulnerability to me?
CVE-2026-33750 is a vulnerability in the brace-expansion library where a brace pattern with a zero step value (for example, `{1..2..0}`) causes the sequence generation loop to run indefinitely. This happens because the increment used in the loop is zero, so the loop variable never advances, resulting in an infinite loop.
This infinite loop causes the process to hang for several seconds and allocate a large amount of memory, potentially around 1.9 GB, before eventually throwing a RangeError. The issue affects versions prior to 5.0.5, 3.0.2, 2.0.3, and 1.1.13 of the brace-expansion library.
The vulnerability arises because the library does not properly handle a zero step value in brace expansions, leading to denial-of-service conditions due to excessive CPU and memory consumption.
The issue was fixed by ensuring the increment value is at least 1, preventing zero-step increments from causing infinite loops.
How can this vulnerability impact me? :
This vulnerability can impact you by causing denial-of-service (DoS) conditions in applications that use the vulnerable versions of the brace-expansion library.
If an attacker or malformed input provides a brace pattern with a zero step value, the process using the library can hang for several seconds and consume a large amount of memory, potentially exhausting system resources.
This can lead to application unresponsiveness, crashes, or degraded performance, affecting availability.
The vulnerability can be triggered remotely if the application processes untrusted input strings passed to the `expand()` function, including command-line arguments or configuration files.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests when the brace-expansion library processes a brace pattern with a zero step value (e.g., `{1..2..0}`), causing the process to hang and consume excessive memory. Detection can focus on identifying usage of vulnerable versions of the brace-expansion library prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13.
To detect if your system or application is vulnerable, you can check the installed version of the brace-expansion package in your environment. For example, if you use npm, run:
- npm list brace-expansion
If the version is older than the fixed versions mentioned above, your system is potentially vulnerable.
Additionally, you can monitor for processes that hang or consume excessive memory when handling inputs containing brace expansions, especially those with patterns like `{1..2..0}`.
There are no specific network commands or signatures provided in the resources to detect exploitation attempts, but monitoring application logs or inputs for brace expansion patterns with zero step values can help.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the brace-expansion library to a fixed version. The vulnerability is fixed in versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 of the brace-expansion package.
If upgrading immediately is not possible, sanitize any input strings passed to the `expand()` function to ensure that the step value in brace expansions is never zero. This prevents the infinite loop and memory exhaustion.
Specifically, ensure that any brace pattern like `{1..2..0}` is either rejected or transformed to use a minimum step value of 1.
Applying patches or backports described in the resources to your current version can also mitigate the issue if upgrading is not feasible.