brace-expansion: Large numeric range defeats documented `max` DoS protection

GHSA-jxxr-4gwj-5jf2 · CVE-2026-45149

Published May 18, 2026 · Modified Jun 9, 2026

Description

The max option was being applied too late:

When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 million intermediate elements before the max limit is applied With max=10, the output is correctly limited to 10 items, but the process still allocates ~505 MB and spends ~800ms building the full intermediate array.

Workaround

Ensure the string to be expanded doesn't contain more values than the desired max item count.

References

WEB https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-jxxr-4gwj-5jf2
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-45149
WEB https://github.com/juliangruber/brace-expansion/commit/c0b095bdc52bc4c36dc88deddbadabc49f8371e5
PACKAGE https://github.com/juliangruber/brace-expansion

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes