CVE-2026-45149 Overview
CVE-2026-45149 is a denial-of-service vulnerability in the brace-expansion Node.js library maintained by juliangruber. The library generates arbitrary strings containing a common prefix and suffix from brace patterns such as {1..N}. In versions 5.0.0 through 5.0.5, the max option was applied too late during expansion. When a caller supplies a large numeric range like {1..10000000}, the sequence generation loop builds all 10 million intermediate elements before truncation occurs. Even with max=10, the process allocates approximately 505 MB and consumes roughly 800 ms of CPU time. The flaw is categorized under [CWE-400] (Uncontrolled Resource Consumption) and is fixed in version 5.0.6.
Critical Impact
An attacker who can supply or influence brace-expansion input can trigger excessive memory allocation and CPU usage, leading to denial of service in any Node.js application that processes untrusted patterns.
Affected Products
- juliangruber brace-expansion 5.0.0
- juliangruber brace-expansion 5.0.1 through 5.0.5
- Node.js applications transitively depending on vulnerable brace-expansion versions
Discovery Timeline
- 2026-05-29 - CVE-2026-45149 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-45149
Vulnerability Analysis
The brace-expansion library expands shell-style brace patterns into arrays of strings. The library accepts a max option intended to cap the size of the resulting expansion. In affected versions, this cap is enforced only after the full intermediate sequence is materialized in memory.
For numeric ranges such as {1..10000000}, the generator allocates every integer in the range before applying the max truncation. The resulting array consumes around 505 MB of heap memory and approximately 800 ms of CPU time per call. A single malicious pattern can therefore stall the event loop and exhaust Node.js process memory.
Applications that pass user-controlled input to brace-expansion, or to upstream consumers such as minimatch and glob matchers, inherit this exposure. Repeated requests amplify the effect into a sustained denial-of-service condition.
Root Cause
The defect resides in the sequence generation loop for numeric ranges. The loop iterates across the full numeric domain defined by the brace pattern and pushes each element into an intermediate array. The max boundary check executes after loop completion rather than inside the loop. The fix in version 5.0.6 moves the boundary enforcement into the generation loop so iteration halts once the limit is reached.
Attack Vector
Exploitation requires no authentication and no user interaction. An attacker submits a brace pattern containing a large numeric range to any application surface that forwards the input to brace-expansion. Common attack surfaces include file-matching APIs, configuration parsers, and HTTP endpoints that accept glob patterns. The vulnerability mechanism is described in the GitHub Security Advisory GHSA-jxxr-4gwj-5jf2.
Detection Methods for CVE-2026-45149
Indicators of Compromise
- Node.js processes exhibiting sudden memory spikes of approximately 500 MB per request involving glob or pattern inputs.
- Event loop stalls of several hundred milliseconds correlated with HTTP requests containing large brace-range expressions.
- Repeated requests containing patterns such as {1..10000000} or similarly large numeric ranges in URLs, headers, or POST bodies.
Detection Strategies
- Inventory Node.js dependencies using npm ls brace-expansion to identify transitive use of versions 5.0.0 through 5.0.5.
- Inspect application logs for request patterns containing brace expressions with large numeric upper bounds.
- Correlate process memory and CPU telemetry with inbound request payloads to identify resource-exhaustion attempts.
Monitoring Recommendations
- Track Node.js heap usage and event-loop lag through APM tooling and alert on anomalous deviations.
- Log and rate-limit endpoints that accept user-supplied glob or brace patterns.
- Monitor for repeated client requests containing numeric ranges that exceed expected operational bounds.
How to Mitigate CVE-2026-45149
Immediate Actions Required
- Upgrade brace-expansion to version 5.0.6 or later across all direct and transitive dependencies.
- Run npm audit and npm update brace-expansion to resolve nested dependency trees.
- Reject or sanitize untrusted brace patterns at the application boundary before passing them to glob or pattern libraries.
Patch Information
The vulnerability is fixed in brace-expansion version 5.0.6. The patch enforces the max limit inside the sequence generation loop, preventing allocation of intermediate elements beyond the configured cap. Refer to the GitHub Security Advisory GHSA-jxxr-4gwj-5jf2 for upstream remediation details.
Workarounds
- Validate brace-expansion input length and reject patterns containing numeric ranges above an application-specific threshold.
- Wrap calls to brace-expansion in worker threads with memory and time limits to contain resource impact.
- Apply request size limits and rate limiting on endpoints that consume glob or brace pattern input.
# Configuration example
npm install brace-expansion@^5.0.6
npm ls brace-expansion
npm audit fix
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
