CVE-2026-33750

Summary

The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., {1..2..0}) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed to expand() to ensure a step value of 0 is not used.

Affected Software

VendorProductVersion RangeStatus
juliangruberbrace-expansion>= 4.0.0, < 5.0.5affected
juliangruberbrace-expansion>= 3.0.0, < 3.0.2affected
juliangruberbrace-expansion>= 2.0.0, < 2.0.3affected
juliangruberbrace-expansion< 1.1.13affected

Weaknesses

  • CWE-400: CWE-400: Uncontrolled Resource Consumption

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References