CVE-2026-33750: brace-expansion Library DoS Vulnerability

CVE-2026-33750 Overview

CVE-2026-33750 is a Denial of Service (DoS) vulnerability in the brace-expansion library, a widely used Node.js package that generates arbitrary strings containing a common prefix and suffix. The vulnerability exists in versions prior to 5.0.5, 3.0.2, 2.0.3, and 1.1.13, where a brace pattern with a zero step value (e.g., {1..2..0}) causes the sequence generation loop to run indefinitely, resulting in process hang and excessive memory allocation.

Critical Impact

Applications accepting user-controlled input that is passed to the expand() function can be rendered unresponsive through resource exhaustion, potentially affecting service availability for all users.

Affected Products

• brace-expansion versions prior to 5.0.5
• brace-expansion versions prior to 3.0.2
• brace-expansion versions prior to 2.0.3
• brace-expansion versions prior to 1.1.13

Discovery Timeline

• 2026-03-27 - CVE CVE-2026-33750 published to NVD
• 2026-03-30 - Last updated in NVD database

Technical Details for CVE-2026-33750

Vulnerability Analysis

The brace-expansion library provides functionality to expand brace-delimited strings into arrays of all possible combinations. The vulnerability (CWE-400: Uncontrolled Resource Consumption) exists in the numeric sequence expansion logic. When processing range patterns like {start..end..step}, the library fails to validate the step parameter properly.

When a step value of 0 is provided, the increment operation in the sequence generation loop becomes ineffective—the loop variable never advances toward the termination condition. This creates an infinite loop that continuously allocates memory without ever completing, leading to both CPU exhaustion and memory exhaustion. The attack can be triggered remotely over the network but requires user interaction, such as submitting a malicious pattern through a web form or API endpoint that processes brace expressions.

Root Cause

The root cause lies in the sequence generation function where the step increment value is calculated using Math.abs(numeric(n[2])). When the user supplies 0 as the step value, Math.abs(0) evaluates to 0, and the loop increments by zero on each iteration. This results in an infinite loop since the loop counter never reaches the termination condition.

Attack Vector

An attacker can exploit this vulnerability by providing a malicious brace pattern with a zero step value to any application that passes user input to the expand() function. The attack pattern follows this structure:

For example, submitting the string {1..2..0} to a vulnerable application causes the sequence generation loop to execute indefinitely. This network-based attack can be delivered through any input mechanism that eventually reaches the brace-expansion library.

The following patches demonstrate how the vulnerability was fixed by ensuring the step value is always at least 1:

       var y = numeric(n[1]);
       var width = Math.max(n[0].length, n[1].length)
       var incr = n.length == 3
-        ? Math.abs(numeric(n[2]))
+        ? Math.max(Math.abs(numeric(n[2])), 1)
         : 1;
       var test = lte;
       var reverse = y < x;

Source: GitHub Commit - v2 Backport

The fix wraps the step calculation with Math.max(..., 1) to ensure the increment value can never be zero, preventing the infinite loop condition.

Detection Methods for CVE-2026-33750

Indicators of Compromise

• Processes consuming 100% CPU with no progression, particularly Node.js applications
• Rapid memory growth in application processes handling string expansion operations
• Application logs showing timeouts or hangs when processing user-submitted patterns containing {..} syntax
• System-level alerts for memory exhaustion or out-of-memory conditions

Detection Strategies

• Implement dependency scanning tools to identify vulnerable versions of brace-expansion in your package.json and package-lock.json files
• Monitor application performance metrics for sudden CPU spikes correlated with user input processing
• Deploy runtime application self-protection (RASP) solutions that can detect infinite loop conditions
• Use static code analysis to identify code paths where user input flows to expand() function calls

Monitoring Recommendations

• Set up alerts for Node.js process memory consumption exceeding baseline thresholds
• Configure application performance monitoring (APM) to track the duration of string expansion operations
• Implement request timeouts at the application layer to prevent individual requests from consuming resources indefinitely
• Monitor for patterns containing ..0} or ..0.. in input logs as potential attack indicators

How to Mitigate CVE-2026-33750

Immediate Actions Required

• Update brace-expansion to version 5.0.5, 3.0.2, 2.0.3, or 1.1.13 depending on your major version branch
• Audit your codebase to identify all locations where user input may reach the expand() function
• Implement input validation to reject or sanitize brace patterns before processing
• Consider implementing request timeouts to limit the impact of any exploitation attempts

Patch Information

The vulnerability has been patched in multiple version branches. Update to the appropriate fixed version based on your current major version:

For detailed patch information, refer to the GitHub Security Advisory and related pull requests.

Workarounds

• Sanitize all strings passed to expand() to ensure a step value of 0 is not present in brace patterns
• Implement a regular expression filter to reject patterns matching /\{\d+\.\.\d+\.\.0\}/ before processing
• Wrap calls to expand() with timeout mechanisms to prevent indefinite hangs
• Consider using a sandboxed execution environment for processing untrusted input

# Configuration example - Update brace-expansion via npm
npm update brace-expansion

# Or install a specific fixed version
npm install brace-expansion@5.0.5

# Audit your project for vulnerable dependencies
npm audit

# Fix vulnerabilities automatically where possible
npm audit fix