[Pkg-javascript-devel] Bug#1138576: node-brace-expansion: CVE-2026-45149
Salvatore Bonaccorso
carnil at debian.org
Sun May 31 20:13:20 BST 2026
Source: node-brace-expansion
Version: 2.0.3+~1.1.2-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for node-brace-expansion.
CVE-2026-45149[0]:
| The brace-expansion library generates arbitrary strings containing a
| common prefix and suffix. From 5.0.0 to before 5.0.6, the max option
| was being applied too late. When expanding a single large numeric
| range like {1..10000000}, the sequence generation loop generates all
| 10 million intermediate elements before the max limit is applied
| With max=10, the output is correctly limited to 10 items, but the
| process still allocates ~505 MB and spends ~800ms building the full
| intermediate array. This vulnerability is fixed in 5.0.6.
Need your help here, the advisory claims the issue affects 5.0.0
before 5.0.6, but the issue is present before? Maybe at least back to
v3.0.0? Can you please evaluate that properly for the versions
released in Debian and report back where the issue is introduced?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-45149
https://www.cve.org/CVERecord?id=CVE-2026-45149
[1] https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-jxxr-4gwj-5jf2
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list