CVE-2026-13149

Severity CVSS v4.0:
HIGH
Type:
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Publication date:
30/06/2026
Last modified:
08/07/2026

Description

brace-expansion through 5.0.6 is vulnerable to denial of service. The expand() function exhibits exponential-time complexity in the number of consecutive non-expanding '{}' brace groups. An attacker who passes a crafted string to expand(), directly or transitively, can cause significant CPU consumption and event-loop blocking. The max option does not mitigate this, as it bounds the output size rather than the recursion work.