aikido.dev Secure My Code

Intel/AIKIDO-2026-10477

AIKIDO-2026-10477

brace-expansion is vulnerable to Denial of Service (DoS)

Denial of Service (DoS)CVE-2026-25547

65

Medium Risk

This Affects:

brace-expansion

1.0.0 - 1.1.13

Fixed in 1.1.14

2.0.0 - 2.0.3

Fixed in 2.1.0

TL;DR

The library expands brace patterns synchronously and materializes every combination. Certain attacker-controlled patterns with repeated numeric ranges can make the number of expansions grow exponentially, driving high CPU use and memory pressure until the process fails. Earlier major lines had no supported way to cap how many expansions are produced. The fix threads an optional max limit through the recursive expansion path so callers can bound work.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

brace-expansion is vulnerable to Denial of Service (DoS) in versions 1.0.0 - 1.1.13 and 2.0.0 - 2.0.3.

How to fix this

Upgrade the brace-expansion library to the patch version.

65

Medium Risk

This Affects:

brace-expansion

1.0.0 - 1.1.13

Fixed in 1.1.14

2.0.0 - 2.0.3

Fixed in 2.1.0

Links

CVE Detail

github.com/isaacs/brace-expansion/security/advisories/GHSA-7h2j-956f-4vf2

GitHub Release

github.com/juliangruber/brace-expansion/releases/tag/v2.1.0

Get Secure Now

Secure your code, cloud, and runtime environments in one central system. Find and fix vulnerabilities automatically.

No credit card required | Scan results in 32secs.

Aikido Platform

Company

Resources

Industries

Use Cases

Compare

Legal

Connect

hello@aikido.dev

Security

Subscribe

Stay up to date with all updates

LinkedIn YouTube X

© 2026 Aikido Security BV | BE0792914919

Keizer Karelstraat 15, 9000, Ghent, Belgium

95 Third St, 2nd Fl, San Francisco, CA 94103, US

Unit 6.15 Runway East 18 18 Crucifix Ln, London SE1 3JW UK

Ghent, Belgium | San Francisco, US

SOC 2

ISO 27001

ISO 27001Compliant

Get Security Done