3 matches found
CVE-2026-45149
The CVE-2026-45149 issue affects the brace-expansion library (Julian Gruber) where the max option was applied too late for 5.0.0–5.0.5. When expanding a large numeric range (e.g., {1..10000000}), the code builds all intermediate elements before enforcing max, allocating about 505 MB and taking ~8...
brace-expansion: Large numeric range defeats documented `max` DoS protection
The max option was being applied too late: When expanding a single large numeric range like 1..10000000, the sequence generation loop generates all 10 million intermediate elements before the max limit is applied With max=10, the output is correctly limited to 10 items, but the process still...
GHSA-JXXR-4GWJ-5JF2 brace-expansion: Large numeric range defeats documented `max` DoS protection
The max option was being applied too late: When expanding a single large numeric range like 1..10000000, the sequence generation loop generates all 10 million intermediate elements before the max limit is applied With max=10, the output is correctly limited to 10 items, but the process still...