Allocation of Resources Without Limits or Throttling Affecting brace-expansion package, versions >=5.0.2 <5.0.6
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Allocation of Resources Without Limits or Throttling vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JS-BRACEEXPANSION-16755174
- published19 May 2026
- disclosed18 May 2026
- creditSubhash Dasyam
Introduced: 18 May 2026
NewCVE-2026-45149 (opens in a new tab)How to fix?
Upgrade brace-expansion to version 5.0.6 or higher.
Overview
brace-expansion is a Brace expansion as known from sh/bash
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the max option being applied after generating all elements in a large numeric range. An attacker can exhaust system memory and processing resources by submitting input such as {1..10000000} that causes excessive allocation and computation before the output is limited.
Workaround
This vulnerability can be mitigated by ensuring the string to be expanded does not contain more values than the desired max item count.