Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN193
_____________________________________________________________________

DATE                : 19/02/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running brace-expansion (npm) versions
                                       prior to 5.0.1.

=====================================================================
https://github.com/isaacs/brace-expansion/security/advisories/GHSA-7h2j-956f-4vf2
_____________________________________________________________________


Uncontrolled Resource Consumption in @isaacs/brace-expansion
Critical
isaacs published GHSA-7h2j-956f-4vf2 Feb 3, 2026

Package
@isaacs/brace-expansion (npm)

Affected versions
<= 5.0.0

Patched versions
5.0.1


Description

Summary

@isaacs/brace-expansion is vulnerable to a denial of service (DoS)
issue caused by unbounded brace range expansion. When an attacker
provides a pattern containing repeated numeric brace ranges, the library
attempts to eagerly generate every possible combination synchronously.
Because the expansion grows exponentially, even a small input can
consume excessive CPU and memory and may crash the Node.js process.
Details

The vulnerability occurs because @isaacs/brace-expansion expands brace
expressions without any upper bound or complexity limit. Expansion is
performed eagerly and synchronously, meaning the full result set is
generated before returning control to the caller.

For example, the following input:

{0..99}{0..99}{0..99}{0..99}{0..99}

produces:

100^5 = 10,000,000,000 combinations

This exponential growth can quickly overwhelm the event loop and heap
memory, resulting in process termination.


Proof of Concept

The following script reliably triggers the issue.

Create poc.js:

const { expand } = require('@isaacs/brace-expansion');

const pattern = '{0..99}{0..99}{0..99}{0..99}{0..99}';

console.log('Starting expansion...');
expand(pattern);

Run it:

node poc.js

The process will freeze and typically crash with an error such as:

FATAL ERROR: JavaScript heap out of memory

Impact

This is a denial of service vulnerability (CWE-400). Any application or
downstream dependency that uses @isaacs/brace-expansion on untrusted
input may be vulnerable to a single-request crash.

An attacker does not require authentication and can use a very small
payload to:

    Trigger exponential computation
    Exhaust memory and CPU resources
    Block the event loop
    Crash Node.js services relying on this library


Severity
Critical
9.2/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required None
User interaction None
Vulnerable System Impact Metrics
Confidentiality None
Integrity None
Availability High
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability High
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

CVE ID
CVE-2026-25547

Weaknesses
Weakness CWE-400

Credits

    @Jvr2022 Jvr2022 Reporter


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================