{"id":"CVE-2026-13149","details":"brace-expansion through 5.0.6 is vulnerable to denial of service. The expand() function exhibits exponential-time complexity in the number of consecutive non-expanding '{}' brace groups. An attacker who passes a crafted string to expand(), directly or transitively, can cause significant CPU consumption and event-loop blocking. The max option does not mitigate this, as it bounds the output size rather than the recursion work.","modified":"2026-07-10T03:54:46.625034481Z","published":"2026-06-30T08:30:34.502Z","related":["openSUSE-SU-2026:11220-1"],"database_specific":{"cna_assigner":"seal","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/13xxx/CVE-2026-13149.json","cwe_ids":["CWE-400","CWE-407"]},"references":[{"type":"WEB","url":"https://registry.npmjs.org"},{"type":"WEB","url":"https://www.npmjs.com/package/brace-expansion"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/13xxx/CVE-2026-13149.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-13149"},{"type":"FIX","url":"https://github.com/juliangruber/brace-expansion/commit/c7e33ec13ac1a684c116720843ce24e208611754"},{"type":"PACKAGE","url":"https://github.com/juliangruber/brace-expansion"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/juliangruber/brace-expansion","events":[{"introduced":"0"},{"fixed":"46317b5d8779c151d24f65c9c139cd076f91a1c3"},{"fixed":"c7e33ec13ac1a684c116720843ce24e208611754"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"5.0.6"}],"source":["DESCRIPTION","REFERENCES"]}}],"versions":["v5.0.6","v5.0.5","v5.0.4","v5.0.3","v5.0.2","v4.0.1","v1.1.11","v2.0.1","v3.0.0","v4.0.0","v2.0.0","1.1.11","v1.1.10","v1.1.9","v1.1.8","v1.1.7","v1.1.6","v1.1.5","v1.1.4","v1.1.3","v1.1.2","v1.1.1","v1.1.0","v1.0.1","v1.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-13149.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/S:N/AU:Y/R:U/V:D/RE:M/U:Amber"}]}