Critical severityNVD Advisory· Published Feb 4, 2026· Updated Apr 15, 2026

CVE-2026-25547

Description

@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@isaacs/brace-expansionnpm	< 5.0.1	5.0.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-7h2j-956f-4vf2ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-25547ghsaADVISORY
github.com/isaacs/brace-expansion/security/advisories/GHSA-7h2j-956f-4vf2nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000