CVE-2026-45149
Received Received - Intake
Brace Expansion Memory Exhaustion in Brace Expansion Library

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: GitHub, Inc.

Description
The brace-expansion library generates arbitrary strings containing a common prefix and suffix. From 5.0.0 to before 5.0.6, the max option was being applied too late. When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 million intermediate elements before the max limit is applied With max=10, the output is correctly limited to 10 items, but the process still allocates ~505 MB and spends ~800ms building the full intermediate array. This vulnerability is fixed in 5.0.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-05-30
AI Q&A
2026-05-29
EPSS Evaluated
N/A
NVD
CVE-2026-45149
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability CVE-2026-45149 affects the brace-expansion library versions 5.0.0 to 5.0.5. It occurs because the 'max' option, which is supposed to limit the number of expanded items, is applied too late during the expansion of large numeric ranges like {1..10000000}.

As a result, the library generates all intermediate elements in the sequence (e.g., all 10 million numbers) before applying the limit, causing excessive memory allocation (~505 MB) and processing time (~800ms), even if the final output is limited to a smaller number of items.

This inefficiency can lead to performance degradation and high resource consumption. The issue was fixed in version 5.0.6.


How can this vulnerability impact me? :

This vulnerability can impact you by causing high memory usage and increased processing time when expanding large numeric ranges using the brace-expansion library.

Even if the output is limited to a small number of items, the system still allocates significant memory (around 505 MB) and spends considerable time (approximately 800ms) generating all intermediate elements.

This can lead to reduced availability of the affected system or application due to resource exhaustion, potentially causing slowdowns or crashes.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring the usage of the brace-expansion library versions 5.0.0 to 5.0.5 in your environment, especially when expanding large numeric ranges such as {1..10000000}.

Detection can involve checking for unusually high memory usage (~505 MB) and processing delays (~800ms) during brace-expansion operations with large ranges.

A practical approach is to identify scripts or applications that use brace-expansion with large numeric ranges and test expansions with the max option set, observing resource consumption.

Specific commands are not provided in the resources, but you can use system monitoring tools like 'top', 'htop', or 'ps' on Linux to observe memory and CPU usage during brace-expansion operations.


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade the brace-expansion library to version 5.0.6 or later, where this vulnerability is fixed.

As a workaround, ensure that input strings do not exceed the desired maximum item count before expansion to avoid generating large intermediate arrays.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart