Description
@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.
EPSS Score:
0%
EUVD-2026-5326: Professional Cybersecurity Analysis
Executive Summary
EUVD-2026-5326 represents a critical Denial of Service (DoS) vulnerability in @isaacs/brace-expansion, a widely-used JavaScript library for pattern expansion. With a CVSS 4.0 score of 9.2 (Critical), this vulnerability poses significant risks to Node.js applications across the European digital infrastructure. The vulnerability enables remote attackers to trigger resource exhaustion through maliciously crafted input patterns without authentication.
1. Vulnerability Assessment and Severity Evaluation
Technical Classification
- Vulnerability Type: Algorithmic Complexity / Resource Exhaustion DoS
- CWE Classification: Likely CWE-407 (Inefficient Algorithmic Complexity) or CWE-1333 (Inefficient Regular Expression Complexity)
- CVSS 4.0 Score: 9.2 (Critical)
- Attack Complexity: Low (AC:L)
CVSS 4.0 Vector Analysis
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
Key Severity Indicators:
- AV:N (Network): Exploitable remotely without physical access
- AC:L (Low Complexity): Minimal skill required for exploitation
- PR:N (No Privileges Required): No authentication needed
- UI:N (No User Interaction): Fully automated exploitation possible
- VA:H (High Availability Impact): Complete service disruption
- SA:H (High Subsequent Availability): Cascading impact on dependent systems
Severity Justification
The 9.2 critical rating is warranted due to:
- Zero authentication requirement for exploitation
- Exponential resource consumption from minimal input
- Synchronous blocking behavior causing immediate process impact
- Wide deployment in Node.js ecosystem
- Potential for cascading failures in microservices architectures
2. Attack Vectors and Exploitation Methods
Attack Mechanism
The vulnerability exploits the library's eager expansion algorithm when processing nested or repeated numeric brace ranges. The expansion grows exponentially with pattern complexity.
Exploitation Examples
Basic Attack Pattern:
// Simple exponential expansion
"{1..100}{1..100}{1..100}"
// Generates 100 × 100 × 100 = 1,000,000 combinations
// Nested ranges for maximum impact
"{1..50}{1..50}{1..50}{1..50}"
// Generates 50^4 = 6,250,000 combinations
Advanced Attack Vectors:
- HTTP Request Parameters:
POST /api/search HTTP/1.1
Host: vulnerable-app.eu
Content-Type: application/json
{
"pattern": "file-{1..100}{1..100}{1..100}.txt"
}
- File Upload Scenarios:
// Malicious filename pattern
filename: "document-{1..999}{1..999}.pdf"
- CLI Tool Exploitation:
# If the library processes user input
node vulnerable-tool.js --pattern "{1..100}{1..100}{1..100}"
Attack Characteristics
- Resource Consumption: CPU spikes to 100%, memory exhaustion
- Time to Impact: Immediate (synchronous processing)
- Detection Difficulty: May appear as legitimate high load
- Amplification Factor: Exponential (O(n^m) where m = number of ranges)
3. Affected Systems and Software Versions
Directly Affected
Package: @isaacs/brace-expansion
- Vulnerable Versions: All versions < 5.0.1
- Patched Version: 5.0.1 and above
- Package Type: Hybrid CJS/ESM TypeScript module
Dependency Chain Impact
This library is commonly used by:
- minimatch (glob pattern matching)
- glob (file system pattern matching)
- Build tools (webpack, rollup, vite)
- Test frameworks (jest, mocha)
- CLI utilities (npm scripts, task runners)
Affected Environments
-
Node.js Applications:
- Web servers (Express, Fastify, Koa)
- API gateways
- Microservices
- Serverless functions (AWS Lambda, Azure Functions)
-
Development Tools:
- CI/CD pipelines
- Build systems
- Package managers
- Code analysis tools
-
European Critical Infrastructure:
- E-government platforms
- Financial services APIs
- Healthcare systems
- Supply chain management systems
Identification Methods
Check package.json:
npm list @isaacs/brace-expansion
# or
yarn why @isaacs/brace-expansion
Automated scanning:
npm audit
# or use SBOM tools
syft scan --output json | grep brace-expansion
4. Recommended Mitigation Strategies
Immediate Actions (Priority 1)
1. Update to Patched Version
npm update @isaacs/brace-expansion@5.0.1
# or
yarn upgrade @isaacs/brace-expansion@5.0.1
2. Verify Dependency Updates
npm audit fix
npm list @isaacs/brace-expansion
3. Emergency Workarounds (if immediate patching impossible):
// Input validation wrapper
function safeBraceExpansion(pattern, maxLength = 1000) {
// Limit pattern complexity
const braceCount = (pattern.match(/\{/g) || []).length;
if (braceCount > 3) {
throw new Error('Pattern too complex');
}
// Estimate expansion size
const rangeMatches = pattern.match(/\{(\d+)\.\.(\d+)\}/g);
if (rangeMatches) {
let estimatedSize = 1;
rangeMatches.forEach(match => {
const [start, end] = match.match(/\d+/g).map(Number);
estimatedSize *= (end - start + 1);
});
if (estimatedSize > maxLength) {
throw new Error('Expansion would exceed size limit');
}
}
return require('@isaacs/brace-expansion')(pattern);
}
Short-term Mitigations (Priority 2)
1. Input Validation and Sanitization:
// Reject suspicious patterns
const DANGEROUS_PATTERN = /(\{[^}]*\}.*){3,}/;
if (DANGEROUS_PATTERN.test(userInput)) {
return res.status(400).json({ error: 'Invalid pattern' });
}
2. Resource Limits:
// Implement timeout protection
const { Worker } = require('worker_threads');
function expandWithTimeout(pattern, timeout = 1000) {
return new Promise((resolve, reject) => {
const worker = new Worker('./expansion-worker.js', {
workerData: pattern
});
const timer = setTimeout(() => {
worker.terminate();
reject(new Error('Expansion timeout'));
}, timeout);
worker.on('message', (result) => {
clearTimeout(timer);
resolve(result);
});
});
}
3. Rate Limiting:
// Express middleware example
const rateLimit = require('express-rate-limit');
const patternLimiter = rateLimit({
windowMs: 60 * 1000, // 1 minute
max: 10, // limit each IP to 10 requests per minute
message: 'Too many pattern requests'
});
app.use('/api/expand', patternLimiter);
Long-term Strategic Mitigations
**1. Dependency