CVE-2026-45149
MEDIUM6.5EPSS 0.04%brace-expansion: Large numeric range defeats documented `max` DoS protection
發布日:2026/5/18修改日:2026/5/20
描述
The `max` option was being applied too late: When expanding a single large numeric range like `{1..10000000}`, the sequence generation loop generates all 10 million intermediate elements before the `max` limit is applied With `max=10`, the output is correctly limited to 10 items, but the process still allocates `~505 MB` and spends `~800ms` building the full intermediate array. ### Workaround Ensure the string to be expanded doesn't contain more values than the desired `max` item count.
受影響套件(2)
- Debian/node-brace-expansionfrom 0
- npm/brace-expansion>= 5.0.0, < 5.0.6
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
參考連結(4)
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-45149
- PATCHhttps://github.com/juliangruber/brace-expansion
- WEBhttps://github.com/juliangruber/brace-expansion/commit/c0b095bdc52bc4c36dc88deddbadabc49f8371e5
- WEBhttps://github.com/juliangruber/brace-expansion/security/advisories/GHSA-jxxr-4gwj-5jf2