- Package:
- src:node-brace-expansion
- Source:
- src:node-brace-expansion
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-06-24 09:07:02 UTC
- Severity:
- normal
- Tags:
Hi,
The following vulnerability was published for node-brace-expansion.
CVE-2026-45149[0]:
| The brace-expansion library generates arbitrary strings containing a
| common prefix and suffix. From 5.0.0 to before 5.0.6, the max option
| was being applied too late. When expanding a single large numeric
| range like {1..10000000}, the sequence generation loop generates all
| 10 million intermediate elements before the max limit is applied
| With max=10, the output is correctly limited to 10 items, but the
| process still allocates ~505 MB and spends ~800ms building the full
| intermediate array. This vulnerability is fixed in 5.0.6.
Need your help here, the advisory claims the issue affects 5.0.0
before 5.0.6, but the issue is present before? Maybe at least back to
v3.0.0? Can you please evaluate that properly for the versions
released in Debian and report back where the issue is introduced?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-45149
https://www.cve.org/CVERecord?id=CVE-2026-45149
[1] https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-jxxr-4gwj-5jf2
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Hello, Bug #1138576 in node-brace-expansion reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/js-team/node-brace-expansion/-/commit/52eee880e9d7c91f4d2a6e71e679036e6722c9af (this message was generated automatically) -- Greetings https://bugs.debian.org/1138576
We believe that the bug you reported is fixed in the latest version of node-brace-expansion, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1138576@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Xavier Guimard <yadd@debian.org> (supplier of updated node-brace-expansion package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Wed, 24 Jun 2026 10:39:03 +0200 Source: node-brace-expansion Architecture: source Version: 2.0.3+~1.1.2-3 Distribution: unstable Urgency: medium Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org> Changed-By: Xavier Guimard <yadd@debian.org> Closes: 1138576 Changes: node-brace-expansion (2.0.3+~1.1.2-3) unstable; urgency=medium . * Team upload * Fix bad CVE id in previous upload * Fix sequence DoS (Closes: #1138576, CVE-2026-45149) Checksums-Sha1: 24c4a01c72a8cd782381938731531d0f3758e92f 2578 node-brace-expansion_2.0.3+~1.1.2-3.dsc 811b994213be9324c1a2d8f63306de9655885397 5284 node-brace-expansion_2.0.3+~1.1.2-3.debian.tar.xz Checksums-Sha256: e7ecd929fc2e092581ed2d44244188aad8805062be974e085db5f8d39038f81f 2578 node-brace-expansion_2.0.3+~1.1.2-3.dsc 44b0b3ae8f2b4ae28ed86ed44ff095bb172c8077d6f00addc70cf2ce49e8b032 5284 node-brace-expansion_2.0.3+~1.1.2-3.debian.tar.xz Files: df90c8357fc7eaef4852b95162bab879 2578 javascript optional node-brace-expansion_2.0.3+~1.1.2-3.dsc 5465e995dab7b11cb5ec4dec444a8e5f 5284 javascript optional node-brace-expansion_2.0.3+~1.1.2-3.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmo7mBoACgkQ9tdMp8mZ 7umISRAAjWtCkWCAwVm8yzTs56EKN86y96qEuiLE8ShRYYbPAF1IA7yum15CAKfC TB76FAvI4/kZieKWQb4NxxSeLunIVljZK/odG1mPaQiEQKnP4n3zHczyRwcaieJr 8JYVJG397wGIVguqwDKG54wSiampaqe4hHnzQNiUDdfbuK6eghSUQUaNo0fjPGPx z2b4pLSvukCq9K8YN35gf8MO4L//764fhAEITxxyU/1w2zQEU/usnpJbm+ZyipDn 9j0biD13O6Qazz4iKf/0tkgM1YGZDBAUwwX+aVpwnXMpbDNegLm6wLTN/f+QzIq8 ChfGy69QSxm0TfXTC774eOH9kfZmyqKySITNO37BPUcLDZULCXQBoRM4xLdZQX2O Oo5gs/R9Z45snjp3PUkOaXFJ0sS7u6xNWlcw5Hylw/rsQvNMUq4TRk6smT4KBj4P rdoatoww5T0MNkHQk4W10CxOwmm9GsXiMsd0l/HbuXdzRFovNPl/rLwt7hou3/k3 8dL2xrA9OdTUBIkK4t6ABf57aN3f0LpaZTYE4gobTbrt/3UG4dloHveVHIsE4pJ7 ONS37+mC3sqSKzKxj4m4hHQ1xd6muChpknHpi2rXlU5uFPRGZyl2DsNyYOyPnddn kOm+JYefN9D6cXCInd+mxNxzjgvOcqHYOx2d714a8/+4ZbFptt8= =d/tP -----END PGP SIGNATURE-----