Intel

AIKIDO-2026-237551

brace-expansion is vulnerable to Denial of Service (DoS)

Denial of Service (DoS)CVE-2026-13149 Published Jun 30, 2026

53

Medium Risk

This Affects:

JSbrace-expansion
1.0.0 - 1.1.15
Fixed in 1.1.16
2.0.0 - 2.1.1
Fixed in 2.1.2
3.0.0 - 5.0.6
Fixed in 5.0.7
Are you affected? Scan for Free

TL;DR

brace-expansion expands shell-style brace patterns through a recursive expand_ function that computes the post segment unconditionally before the early-return branches that discard it. An input containing many consecutive non-expanding {} groups forces each recursion level to expand the remaining tail twice, producing exponential-time behavior in the number of groups. A short pattern of roughly ninety bytes blocks the single-threaded event loop for minutes, the max option does not bound this work, and untrusted input reaching expand() directly or through minimatch/glob can stall a worker or process. The fix defers computing post until a brace set actually expands and converts the rewrite step from recursion into an in-function loop.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application passes untrusted input to expand() directly or through brace patterns in minimatch/glob.

Background info

brace-expansion is vulnerable to Denial of Service (DoS) in versions 1.0.0 - 1.1.15, 2.0.0 - 2.1.1 and 3.0.0 - 5.0.6.

How to fix this

Upgrade the brace-expansion library to the patch version.