CVE-2026-33750
Published: 27 March 2026
Summary
CVE-2026-33750 is a medium-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Juliangruber Brace-Expansion. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 6.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 mandates timely flaw remediation, directly requiring upgrades to fixed versions of the brace-expansion library to eliminate the infinite loop vulnerability.
SI-10 requires validation of information inputs, enabling sanitization of brace patterns passed to the expand() function to block zero step values.
SC-5 provides denial-of-service protections that limit the effects of resource exhaustion attacks like excessive heap memory allocation from the infinite loop.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE directly describes exploitation of an input-processing flaw (zero step in brace pattern) to trigger uncontrolled resource consumption and process hang, matching T1499.004 Application or System Exploitation for Endpoint Denial of Service.
NVD Description
The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the…
more
process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed to `expand()` to ensure a step value of `0` is not used.
Deeper analysisAI
CVE-2026-33750 is a denial-of-service vulnerability in the brace-expansion library, which generates arbitrary strings with a common prefix and suffix from brace patterns. In versions prior to 5.0.5, 3.0.2, 2.0.3, and 1.1.13, processing a brace pattern with a zero step value, such as `{1..2..0}`, triggers an infinite loop in the sequence generation code. This causes the affected process to hang for seconds and allocate excessive amounts of heap memory, classified under CWE-400 (Uncontrolled Resource Consumption) with a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H).
An attacker can exploit this vulnerability over the network with low complexity and no privileges required, but it necessitates user interaction, such as tricking a user into passing a malicious brace pattern to the library's `expand()` function. Successful exploitation results in high-impact availability disruption, where the targeted process becomes unresponsive and consumes significant memory resources, potentially leading to service outages or system resource exhaustion in applications that depend on brace-expansion for string processing.
Mitigation involves upgrading to the fixed versions 5.0.5, 3.0.2, 2.0.3, or 1.1.13, as detailed in the library's GitHub commit history. As a workaround, applications should sanitize inputs to the `expand()` function to prevent the use of a step value of zero. Relevant code changes and source references are available in the brace-expansion repository commits and source files.
Details
- CWE(s)