brace-expansion: Large numeric range defeats documented `max` DoS protection
Description
The max option was being applied too late:
When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 million intermediate elements before the max limit is applied With max=10, the output is correctly limited to 10 items, but the process still allocates ~505 MB and spends ~800ms building the full intermediate array.
Workaround
Ensure the string to be expanded doesn't contain more values than the desired max item count.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Brace-expansion applies max limit after generating all sequence elements, enabling DoS via large numeric ranges.
Vulnerability
In brace-expansion versions >=5.0.0 and <5.0.6, the max option is applied after generating all intermediate elements. For a large numeric range like {1..10000000}, the loop iterates through all 10 million steps before truncating, causing excessive memory (~505 MB) and CPU time (~800ms) [3][4].
Exploitation
An attacker can supply a crafted brace string with a huge range (e.g., {1..10000000}) and a small max value. The application processes the full range before applying the limit; no authentication or special access is needed if user input is expanded [3].
Impact
Successful exploitation leads to denial of service (DoS) via memory exhaustion and CPU spike, potentially crashing or slowing the application [3][4].
Mitigation
The vulnerability is fixed in version 5.0.6 via commit c0b095b, which adds a max length check inside the loop [2]. Upgrade to 5.0.6 or later. Alternatively, ensure the expanded string does not contain more values than the desired max item count [3][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: >= 5.0.0, < 5.0.6
Patches
1c0b095bdc52bMerge commit from fork
2 files changed · +14 −2
src/index.ts+1 −1 modified@@ -183,7 +183,7 @@ function expand_(str: string, max: number, isTop: boolean): string[] { N = [] - for (let i = x; test(i, y); i += incr) { + for (let i = x; test(i, y) && N.length < max; i += incr) { let c if (isAlphaSequence) { c = String.fromCharCode(i)
test/index.js+13 −1 modified@@ -144,7 +144,7 @@ t.test('alphabetic sequences with step count', async t => { }) // https://github.com/isaacs/brace-expansion/security/advisories/GHSA-7h2j-956f-4vf2 -t.test('sequence dos', async t => { +t.test('multiple sequences max', async t => { const str = '{1..10}'.repeat(10) const startTime = performance.now() const expanded = expand(str) @@ -171,3 +171,15 @@ t.test('sequence dos', async t => { `Expected time (${timeTaken}ms) to be less than 500ms`, ) }) + +t.test('single sequence max', async t => { + const str = '{1..100000000}' + const startTime = performance.now() + expand(str, { max: 10 }) + const endTime = performance.now() + const timeTaken = endTime - startTime + t.ok( + timeTaken < 500, + `Expected time (${timeTaken}ms) to be less than 500ms`, + ) +})
Vulnerability mechanics
Synthesis attempt was rejected by the grounding validator. Re-run pending.
References
3News mentions
0No linked articles in our index yet.