{"id":"CVE-2026-45149","summary":"brace-expansion: Large numeric range defeats documented `max` DoS protection","details":"The brace-expansion library generates arbitrary strings containing a common prefix and suffix. From 5.0.0 to before 5.0.6, the max option was being applied too late. When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 million intermediate elements before the max limit is applied With max=10, the output is correctly limited to 10 items, but the process still allocates ~505 MB and spends ~800ms building the full intermediate array. This vulnerability is fixed in 5.0.6.","aliases":["GHSA-jxxr-4gwj-5jf2"],"modified":"2026-06-02T03:54:33.469027707Z","published":"2026-05-29T19:55:07.337Z","related":["CGA-rqj6-gq24-6567"],"database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45149.json","cwe_ids":["CWE-400"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45149.json"},{"type":"ADVISORY","url":"https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-jxxr-4gwj-5jf2"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45149"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/juliangruber/brace-expansion","events":[{"introduced":"0"},{"fixed":"46317b5d8779c151d24f65c9c139cd076f91a1c3"}]}],"versions":["v5.0.5","v5.0.4","v5.0.3","v5.0.2","v4.0.1","v1.1.11","v2.0.1","v3.0.0","v4.0.0","v2.0.0","1.1.11","v1.1.10","v1.1.9","v1.1.8","v1.1.7","v1.1.6","v1.1.5","v1.1.4","v1.1.3","v1.1.2","v1.1.1","v1.1.0","v1.0.1","v1.0.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45149.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}