CVE-2026-33750
brace-expansion: Zero-step sequence causes process hang and memory exhaustion
6.5
MEDIUM
CVSS 3.1
EPSS 0.03%
Description
The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed to `expand()` to ensure a step value of `0` is not used.
How to fix CVE-2026-33750
To remediate CVE-2026-33750, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 5.0.5 or later
Is CVE-2026-33750 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0
- >= 4.0.0, < 5.0.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |