[From nobody Wed Jun 24 10:07:08 2026
Received: (at submit) by bugs.debian.org; 31 May 2026 19:13:22 +0000
X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
 (2024-03-25) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-9.9 required=4.0 tests=BAYES_00, FOURLA,
 FROMDEVELOPER, 
 FVGT_m_MULTI_ODD,NO_RELAYS,XMAILER_REPORTBUG autolearn=ham
 autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 22; hammy, 147; neutral, 56; spammy,
 3. spammytokens:0.984-+--million, 0.941-+--H*r:bugs.debian.org,
 0.909-+--limited hammytokens:0.000-+--H*F:U*carnil,
 0.000-+--XDebbugsCc, 0.000-+--X-Debbugs-Cc, 0.000-+--H*Ad:N*Bug,
 0.000-+--H*Ad:N*Tracking
Return-path: &lt;carnil@debian.org&gt;
Received: via submission by buxtehude.debian.org with esmtp (Exim 4.96)
 (envelope-from &lt;carnil@debian.org&gt;) id 1wTlb7-005MFr-1O
 for submit@bugs.debian.org; Sun, 31 May 2026 19:13:22 +0000
Content-Type: text/plain; charset=&quot;us-ascii&quot;
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Salvatore Bonaccorso &lt;carnil@debian.org&gt;
To: Debian Bug Tracking System &lt;submit@bugs.debian.org&gt;
Subject: node-brace-expansion: CVE-2026-45149
Message-ID: &lt;178025480040.834312.2884156878186234441.reportbug@eldamar.lan&gt;
X-Mailer: reportbug 13.2.0
Date: Sun, 31 May 2026 21:13:20 +0200
Delivered-To: submit@bugs.debian.org

Source: node-brace-expansion
Version: 2.0.3+~1.1.2-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team &lt;team@security.debian.org&gt;

Hi,

The following vulnerability was published for node-brace-expansion.

CVE-2026-45149[0]:
| The brace-expansion library generates arbitrary strings containing a
| common prefix and suffix. From 5.0.0 to before 5.0.6, the max option
| was being applied too late. When expanding a single large numeric
| range like {1..10000000}, the sequence generation loop generates all
| 10 million intermediate elements before the max limit is applied
| With max=10, the output is correctly limited to 10 items, but the
| process still allocates ~505 MB and spends ~800ms building the full
| intermediate array. This vulnerability is fixed in 5.0.6.

Need your help here, the advisory claims the issue affects 5.0.0
before 5.0.6, but the issue is present before? Maybe at least back to
v3.0.0? Can you please evaluate that properly for the versions
released in Debian and report back where the issue is introduced?

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities &amp; Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-45149
    https://www.cve.org/CVERecord?id=CVE-2026-45149
[1] https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-jxxr-4gwj-5jf2

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
]