VYPR
Medium severity6.5NVD Advisory· Published Mar 27, 2026· Updated Apr 22, 2026

CVE-2026-33750

CVE-2026-33750

Description

The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., {1..2..0}) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed to expand() to ensure a step value of 0 is not used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
brace-expansionnpm
>= 4.0.0, < 5.0.55.0.5
brace-expansionnpm
>= 3.0.0, < 3.0.23.0.2
brace-expansionnpm
>= 2.0.0, < 2.0.32.0.3
brace-expansionnpm
< 1.1.131.1.13

Affected products

114

Patches

Vulnerability mechanics

References

12

News mentions

0

No linked articles in our index yet.