Denial of Service Vulnerability in Brace Expansion by Julian Gruber
CVE-2026-13149

7.7HIGH

Key Information:

Vendor: Juliangruber
Status: Brace-expansion
Vendor: CVE Published:; 30 June 2026

🔔 Create Juliangruber Vulnerability Alert

What is CVE-2026-13149?

The brace-expansion library is susceptible to a denial of service attack due to an issue in the expand() function. This function can experience exponential-time complexity related to the number of consecutive non-expanding '{}' brace groups. An attacker can exploit this vulnerability by supplying a specially crafted string, leading to excessive CPU usage and blocking of the event loop. Notably, the max option intended to limit output size does not alleviate the issue since it only restricts output rather than addressing the underlying recursive workload.

Affected Version(s)

brace-expansion Linux 0 <= 5.0.6

References

https://github.com/juliangruber/brace-expansion/commit/c7...

https://www.npmjs.com/package/brace-expansion

CVSS V4

Score:

7.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2026
Vulnerability Reserved
Jun 24, 2026

Credit

bnbdr

CVE-2026-13149 Data

JSON