CVE-2026-25547 CRITICAL

CVE-2026-25547: Uncontrolled Resource Consumption in @isaacs/brace-expansion

Vendor Isaacs
Product brace-expansion
Weakness CWE-1333
Published February 4, 2026
Last update February 5, 2026

CVSS base score

9.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

What the vulnerability does

01Description

@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.

Key dates

02Disclosure timeline

February 4, 2026 CVE published
February 5, 2026 Record updated