CVE-2026-45149
Denial of Service vulnerability in brace-expansion (npm)

Denial of Service No known exploit

What is CVE-2026-45149 About?

This denial of service vulnerability stems from inefficient handling of large numeric ranges during string expansion, where the `max` option is applied too late. This causes excessive memory allocation and processing time for large inputs. Attackers could exploit this by providing a specially crafted input string, leading to resource exhaustion and degraded service.

Affected Software

brace-expansion >=5.0.0, <5.0.6

Technical Details

The vulnerability occurs during the expansion of single large numeric ranges, such as {1..10000000}. The underlying mechanism, intended to generate a sequence of elements, generates all intermediate elements (e.g., 10 million items for the example range) before the configured max limit (e.g., max=10) is applied. Consequently, even when the final output is correctly limited, the process still allocates a substantial amount of memory (e.g., ~505 MB) and consumes significant CPU time (e.g., ~800ms) to build the full, oversized intermediate array. This inefficient resource management can be triggered by a malicious or overly large input, leading to resource exhaustion.

What is the Impact of CVE-2026-45149?

Successful exploitation may allow attackers to cause a denial of service by consuming excessive memory and CPU resources on the server. This can lead to system unresponsiveness, crashes, or a degraded user experience for legitimate users.

What is the Exploitability of CVE-2026-45149?

Exploitation complexity is low to moderate. It does not require authentication or specific privileges, but the attacker needs to be able to provide input that triggers the numeric range expansion. This typically involves remote access via an application that processes user-supplied strings for expansion. The primary condition for exploitation is the ability to submit a string with a large numeric range (e.g., {1..N} where N is a large number). There are no specific external prerequisites, but the impact depends on the server's available resources and how quickly it can recover. The lack of input validation on the size of the numeric range increases the likelihood of exploitation.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2026-45149?

Available Upgrade Options

  • brace-expansion
    • >=5.0.0, <5.0.6 → Upgrade to 5.0.6

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2026-45149?

Similar Vulnerabilities: CVE-2023-45811 , CVE-2023-44487 , CVE-2023-38827 , CVE-2023-38408 , CVE-2023-36657

All Rights reserved 2025
Privacy Policy