Medium severity6.5GHSA Advisory· Published May 29, 2026· Updated Jun 12, 2026
CVE-2026-45149
CVE-2026-45149
Description
The brace-expansion library generates arbitrary strings containing a common prefix and suffix. From 5.0.0 to before 5.0.6, the max option was being applied too late. When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 million intermediate elements before the max limit is applied With max=10, the output is correctly limited to 10 items, but the process still allocates ~505 MB and spends ~800ms building the full intermediate array. This vulnerability is fixed in 5.0.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
brace-expansionnpm | >= 5.0.0, < 5.0.6 | 5.0.6 |
Affected products
38- Range: >= 5.0.0, < 5.0.6
- osv-coords37 versionspkg:apk/chainguard/actions-runnerpkg:apk/chainguard/emscriptenpkg:apk/chainguard/kibana-8.19pkg:apk/chainguard/kibana-8.19-bitnamipkg:apk/chainguard/kibana-8.19-iamguardedpkg:apk/chainguard/kibana-9.2pkg:apk/chainguard/kibana-9.2-iamguardedpkg:apk/chainguard/kibana-9.3pkg:apk/chainguard/kibana-9.3-iamguardedpkg:apk/chainguard/langfuse-2-workerpkg:apk/chainguard/langfuse-3pkg:apk/chainguard/langfuse-3-workerpkg:apk/chainguard/langfuse-fips-2-workerpkg:apk/chainguard/langfuse-fips-3pkg:apk/chainguard/langfuse-fips-3-workerpkg:apk/chainguard/lernapkg:apk/chainguard/npmpkg:apk/chainguard/opensearch-dashboards-3-anomaly-detection-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-3-fips-anomaly-detection-dashboards-pluginpkg:apk/chainguard/prismpkg:apk/chainguard/pulumi-language-nodejspkg:apk/chainguard/renovatepkg:apk/chainguard/tileserver-glpkg:apk/chainguard/tileserver-gl-fipspkg:apk/chainguard/ts-patchpkg:apk/chainguard/vitess-22pkg:apk/wolfi/langfuse-3pkg:apk/wolfi/langfuse-3-workerpkg:apk/wolfi/lernapkg:apk/wolfi/npmpkg:apk/wolfi/opensearch-dashboards-3-anomaly-detection-dashboards-pluginpkg:apk/wolfi/prismpkg:apk/wolfi/pulumi-language-nodejspkg:apk/wolfi/renovatepkg:apk/wolfi/tileserver-glpkg:apk/wolfi/ts-patchpkg:apk/wolfi/vitess-22
< 2.334.0-r2+ 36 more
- (no CPE)range: < 2.334.0-r2
- (no CPE)range: < 5.0.7-r1
- (no CPE)range: < 8.19.16-r1
- (no CPE)range: < 8.19.16-r1
- (no CPE)range: < 8.19.16-r1
- (no CPE)range: < 9.2.8-r6
- (no CPE)range: < 9.2.8-r6
- (no CPE)range: < 9.3.5-r1
- (no CPE)range: < 9.3.5-r1
- (no CPE)range: < 2.95.12-r23
- (no CPE)range: < 3.175.0-r0
- (no CPE)range: < 3.175.0-r0
- (no CPE)range: < 2.95.12-r25
- (no CPE)range: < 3.175.0-r0
- (no CPE)range: < 3.175.0-r0
- (no CPE)range: < 9.0.7-r5
- (no CPE)range: < 11.15.0-r1
- (no CPE)range: < 3.6.0-r5
- (no CPE)range: < 3.6.0-r7
- (no CPE)range: < 5.15.10-r1
- (no CPE)range: < 3.243.0-r2
- (no CPE)range: < 43.170.15-r2
- (no CPE)range: < 5.6.0-r3
- (no CPE)range: < 5.6.0-r3
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 22.0.4-r12
- (no CPE)range: < 3.175.0-r0
- (no CPE)range: < 3.175.0-r0
- (no CPE)range: < 9.0.7-r5
- (no CPE)range: < 11.15.0-r1
- (no CPE)range: < 3.6.0-r5
- (no CPE)range: < 5.15.10-r1
- (no CPE)range: < 3.243.0-r2
- (no CPE)range: < 43.170.15-r2
- (no CPE)range: < 5.6.0-r3
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 22.0.4-r12
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-jxxr-4gwj-5jf2ghsaADVISORY
- github.com/juliangruber/brace-expansion/security/advisories/GHSA-jxxr-4gwj-5jf2nvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-45149ghsaADVISORY
- github.com/juliangruber/brace-expansion/commit/c0b095bdc52bc4c36dc88deddbadabc49f8371e5ghsaWEB
News mentions
0No linked articles in our index yet.