Cyber Resilience

CVE-2026-33750

MediumDDoS

Published: 27 March 2026

Published
27 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
EPSS Score 0.0003 8.3th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33750 is a medium-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Juliangruber Brace-Expansion. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 8.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33750 is a denial-of-service vulnerability in the brace-expansion library, which generates arbitrary strings with a common prefix and suffix from brace patterns. In versions prior to 5.0.5, 3.0.2, 2.0.3, and 1.1.13, processing a brace pattern with a zero step value, such as `{1..2..0}`, triggers an infinite loop in the sequence generation code. This causes the affected process to hang for seconds and allocate excessive amounts of heap memory, classified under CWE-400 (Uncontrolled Resource Consumption) with a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H).

An attacker can exploit this vulnerability over the network with low complexity and no privileges required, but it necessitates user interaction, such as tricking a user into passing a malicious brace pattern to the library's `expand()` function. Successful exploitation results in high-impact availability disruption, where the targeted process becomes unresponsive and consumes significant memory resources, potentially leading to service outages or system resource exhaustion in applications that depend on brace-expansion for string processing.

Mitigation involves upgrading to the fixed versions 5.0.5, 3.0.2, 2.0.3, or 1.1.13, as detailed in the library's GitHub commit history. As a workaround, applications should sanitize inputs to the `expand()` function to prevent the use of a step value of zero. Relevant code changes and source references are available in the brace-expansion repository commits and source files.

EU & UK References

Vulnerability details

The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the…

more

process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed to `expand()` to ensure a step value of `0` is not used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE directly describes exploitation of an input-processing flaw (zero step in brace pattern) to trigger uncontrolled resource consumption and process hang, matching T1499.004 Application or System Exploitation for Endpoint Denial of Service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-56921Shared CWE-400
CVE-2026-33538Shared CWE-400
CVE-2026-0517Shared CWE-400
CVE-2026-6051Shared CWE-400
CVE-2026-21945Shared CWE-400
CVE-2024-33618Shared CWE-400
CVE-2025-69534Shared CWE-400
CVE-2025-29487Shared CWE-400
CVE-2025-9278Shared CWE-400
CVE-2026-34650Shared CWE-400

Affected Assets

juliangruber
brace-expansion
≤ 1.1.13 · 2.0.0 — 2.0.3 · 3.0.0 — 3.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 mandates timely flaw remediation, directly requiring upgrades to fixed versions of the brace-expansion library to eliminate the infinite loop vulnerability.

prevent

SI-10 requires validation of information inputs, enabling sanitization of brace patterns passed to the expand() function to block zero step values.

prevent

SC-5 provides denial-of-service protections that limit the effects of resource exhaustion attacks like excessive heap memory allocation from the infinite loop.

References