CVE-2026-13149

EUVD-2026-40269
brace-expansion through 5.0.6 is vulnerable to denial of service. The expand() function exhibits exponential-time complexity in the number of consecutive non-expanding '{}' brace groups. An attacker who passes a crafted string to expand(), directly or transitively, can cause significant CPU consumption and event-loop blocking. The max option does not mitigate this, as it bounds the output size rather than the recursion work.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
sealCNA
7.7 HIGH
NETWORK
LOW
NONE
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/S:N/AU:Y/R:U/V:D/RE:M/U:Amber
Base Score
CVSS 3.x
EPSS Score
Percentile: 27%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
juliangruberbrace-expansion
𝑥
≤ 5.0.6
CNA
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
node-brace-expansion
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
needs-triage
resolute
needs-triage