CVE-2026-45149
Analyzed Analyzed - Analysis Complete
Brace Expansion Memory Exhaustion in Brace Expansion Library

Publication date: 2026-05-29

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
The brace-expansion library generates arbitrary strings containing a common prefix and suffix. From 5.0.0 to before 5.0.6, the max option was being applied too late. When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 million intermediate elements before the max limit is applied With max=10, the output is correctly limited to 10 items, but the process still allocates ~505 MB and spends ~800ms building the full intermediate array. This vulnerability is fixed in 5.0.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-06-12
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-45149
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
juliangruber brace-expansion From 5.0.0 (inc) to 5.0.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability CVE-2026-45149 affects the brace-expansion library versions 5.0.0 to 5.0.5. It occurs because the 'max' option, which is supposed to limit the number of expanded items, is applied too late during the expansion of large numeric ranges like {1..10000000}.

As a result, the library generates all intermediate elements in the sequence (e.g., all 10 million numbers) before applying the limit, causing excessive memory allocation (~505 MB) and processing time (~800ms), even if the final output is limited to a smaller number of items.

This inefficiency can lead to performance degradation and high resource consumption. The issue was fixed in version 5.0.6.

Impact Analysis

This vulnerability can impact you by causing high memory usage and increased processing time when expanding large numeric ranges using the brace-expansion library.

Even if the output is limited to a small number of items, the system still allocates significant memory (around 505 MB) and spends considerable time (approximately 800ms) generating all intermediate elements.

This can lead to reduced availability of the affected system or application due to resource exhaustion, potentially causing slowdowns or crashes.

Detection Guidance

This vulnerability can be detected by monitoring the usage of the brace-expansion library versions 5.0.0 to 5.0.5 in your environment, especially when expanding large numeric ranges such as {1..10000000}.

Detection can involve checking for unusually high memory usage (~505 MB) and processing delays (~800ms) during brace-expansion operations with large ranges.

A practical approach is to identify scripts or applications that use brace-expansion with large numeric ranges and test expansions with the max option set, observing resource consumption.

Specific commands are not provided in the resources, but you can use system monitoring tools like 'top', 'htop', or 'ps' on Linux to observe memory and CPU usage during brace-expansion operations.

Mitigation Strategies

The immediate mitigation step is to upgrade the brace-expansion library to version 5.0.6 or later, where this vulnerability is fixed.

As a workaround, ensure that input strings do not exceed the desired maximum item count before expansion to avoid generating large intermediate arrays.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45149. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart