VYPR
← All advisories
Medium severity6.5NVD Advisory· Published Mar 27, 2026· Updated Apr 22, 2026

CVE-2026-33750

CVE-2026-33750

Description

The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., {1..2..0}) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed to expand() to ensure a step value of 0 is not used.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
brace-expansionnpm
>= 4.0.0, < 5.0.55.0.5
brace-expansionnpm
>= 3.0.0, < 3.0.23.0.2
brace-expansionnpm
>= 2.0.0, < 2.0.32.0.3
brace-expansionnpm
< 1.1.131.1.13

Affected products

1

Patches

3
b9cacd9e55e7

Backport fix for GHSA-f886-m6hf-6m8v to v3 (#97)

https://github.com/juliangruber/brace-expansionAlec FenichelMar 27, 2026via ghsa
commit
3 files changed · +5 2
  • index.js+1 1 modified
    @@ -176,7 +176,7 @@ function expand (str, isTop) {
       const y = numeric(n[1])
       const width = Math.max(n[0].length, n[1].length)
       let incr = n.length === 3
-        ? Math.abs(numeric(n[2]))
+        ? Math.max(Math.abs(numeric(n[2])), 1)
         : 1
       let test = lte
       const reverse = y < x
  • test/bash-results.txt+3 1 modified
    @@ -1081,4 +1081,6 @@ A{b,{d,e},{f,g}}Z
 [a}b]><><><><{}{{},a}}b
 [{}{}}b]
 [{}a}b]><><><><{}a,b}c
-[{}a,b}c]><><><><
\ No newline at end of file
+[{}a,b}c]><><><><{1..2..0}
+[1]
+[2]><><><><
  • test/cases.txt+1 0 modified
    @@ -185,3 +185,4 @@ y{},a}x
 {{},a}}b
 {}{{},a}}b
 {}a,b}c
+{1..2..0}
311ac0d54994

Backport fix for GHSA-f886-m6hf-6m8v to v2 (#96)

https://github.com/juliangruber/brace-expansionAlec FenichelMar 27, 2026via ghsa
commit
3 files changed · +5 3
  • index.js+1 2 modified
    @@ -148,7 +148,7 @@ function expand(str, isTop) {
       var y = numeric(n[1]);
       var width = Math.max(n[0].length, n[1].length)
       var incr = n.length == 3
-        ? Math.abs(numeric(n[2]))
+        ? Math.max(Math.abs(numeric(n[2])), 1)
         : 1;
       var test = lte;
       var reverse = y < x;
@@ -200,4 +200,3 @@ function expand(str, isTop) {
 
   return expansions;
 }
-
  • test/bash-results.txt+3 1 modified
    @@ -1081,4 +1081,6 @@ A{b,{d,e},{f,g}}Z
 [a}b]><><><><{}{{},a}}b
 [{}{}}b]
 [{}a}b]><><><><{}a,b}c
-[{}a,b}c]><><><><
\ No newline at end of file
+[{}a,b}c]><><><><{1..2..0}
+[1]
+[2]><><><><
  • test/cases.txt+1 0 modified
    @@ -185,3 +185,4 @@ y{},a}x
 {{},a}}b
 {}{{},a}}b
 {}a,b}c
+{1..2..0}
7fd684f89fdd

Backport fix for GHSA-f886-m6hf-6m8v (#95)

https://github.com/juliangruber/brace-expansionAlec FenichelMar 27, 2026via ghsa
commit
3 files changed · +5 3
  • index.js+1 2 modified
    @@ -151,7 +151,7 @@ function expand(str, isTop) {
     var y = numeric(n[1]);
     var width = Math.max(n[0].length, n[1].length)
     var incr = n.length == 3
-      ? Math.abs(numeric(n[2]))
+      ? Math.max(Math.abs(numeric(n[2])), 1)
       : 1;
     var test = lte;
     var reverse = y < x;
@@ -198,4 +198,3 @@ function expand(str, isTop) {
 
   return expansions;
 }
-
  • test/bash-results.txt+3 1 modified
    @@ -1081,4 +1081,6 @@ A{b,{d,e},{f,g}}Z
 [a}b]><><><><{}{{},a}}b
 [{}{}}b]
 [{}a}b]><><><><{}a,b}c
-[{}a,b}c]><><><><
\ No newline at end of file
+[{}a,b}c]><><><><{1..2..0}
+[1]
+[2]><><><><
  • test/cases.txt+1 0 modified
    @@ -185,3 +185,4 @@ y{},a}x
 {{},a}}b
 {}{{},a}}b
 {}a,b}c
+{1..2..0}

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

12

News mentions

0

No linked articles in our index yet.