CVE-2026-33750 - Medium Severity Vulnerability
Vulnerable Library - brace-expansion-1.1.11.tgz
Brace expansion as known from sh/bash
Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/brace-expansion/package.json
Dependency Hierarchy:
- nodemon-2.0.2.tgz (Root Library)
- minimatch-3.0.4.tgz
- ❌ brace-expansion-1.1.11.tgz (Vulnerable Library)
Found in HEAD commit: 2cd37e2d6ff1ef65bf05813bc5b410a0f823c5a6
Found in base branch: master
Vulnerability Details
The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., "{1..2..0}") causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed to "expand()" to ensure a step value of "0" is not used.
Publish Date: 2026-03-27
URL: CVE-2026-33750
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/juliangruber/brace-expansion.git - v5.0.5,https://github.com/juliangruber/brace-expansion.git - v1.1.13,https://github.com/juliangruber/brace-expansion.git - v3.0.2,https://github.com/juliangruber/brace-expansion.git - v2.0.3
Step up your Open Source Security Game with Mend here
CVE-2026-33750 - Medium Severity Vulnerability
Brace expansion as known from sh/bash
Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/brace-expansion/package.json
Dependency Hierarchy:
Found in HEAD commit: 2cd37e2d6ff1ef65bf05813bc5b410a0f823c5a6
Found in base branch: master
The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., "{1..2..0}") causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed to "expand()" to ensure a step value of "0" is not used.
Publish Date: 2026-03-27
URL: CVE-2026-33750
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/juliangruber/brace-expansion.git - v5.0.5,https://github.com/juliangruber/brace-expansion.git - v1.1.13,https://github.com/juliangruber/brace-expansion.git - v3.0.2,https://github.com/juliangruber/brace-expansion.git - v2.0.3
Step up your Open Source Security Game with Mend here