CVE-2026-25547
📋 TL;DR
The @isaacs/brace-expansion library is vulnerable to denial of service (DoS) through unbounded brace range expansion. Attackers can crash Node.js processes by providing patterns with repeated numeric brace ranges that cause exponential resource consumption. This affects any application using vulnerable versions of this library.
💻 Affected Systems
- @isaacs/brace-expansion
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete Node.js process crash leading to service unavailability, potential cascading failures in dependent services, and resource exhaustion on the host system.
Likely Case
Temporary service disruption with high CPU/memory usage causing degraded performance or process termination.
If Mitigated
Minimal impact with proper input validation and rate limiting preventing malicious patterns from reaching the vulnerable function.
🎯 Exploit Status
Exploitation requires only crafting a malicious pattern string. No authentication or special privileges needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.0.1
Vendor Advisory: https://github.com/isaacs/brace-expansion/security/advisories/GHSA-7h2j-956f-4vf2
Restart Required: Yes
Instructions:
1. Update package.json to specify '@isaacs/brace-expansion': '^5.0.1'. 2. Run 'npm update @isaacs/brace-expansion' or 'yarn upgrade @isaacs/brace-expansion'. 3. Restart all Node.js processes using the library.
🔧 Temporary Workarounds
Input validation and sanitization
allValidate and limit brace expansion patterns in user input before passing to the library
Rate limiting and request throttling
allImplement rate limiting on endpoints that process user-provided patterns
🧯 If You Can't Patch
- Implement strict input validation to reject patterns with repeated numeric brace ranges
- Deploy resource limits (CPU, memory) and monitoring to detect and mitigate DoS attempts
🔍 How to Verify
Check if Vulnerable:
Check package.json or package-lock.json for '@isaacs/brace-expansion' version less than 5.0.1Check Version:
npm list @isaacs/brace-expansion | grep @isaacs/brace-expansionVerify Fix Applied:
Confirm installed version is 5.0.1 or higher using 'npm list @isaacs/brace-expansion'📡 Detection & Monitoring
Log Indicators:
- High CPU usage spikes
- Memory exhaustion warnings
- Node.js process crashes with out-of-memory errors
- Unusual pattern processing requests
Network Indicators:
- Repeated requests containing brace patterns
- Requests with unusually long pattern strings
SIEM Query:
source="application.log" AND ("out of memory" OR "process crashed" OR "high cpu") AND "brace-expansion"