Critical NPM Package 'brace-expansion' Exposes Projects to Two New Vulnerabilities, Including High-Severity CVE-2026-33750

A widely used JavaScript library, 'brace-expansion', has been flagged for two newly disclosed vulnerabilities, with the most severe rated 6.5 on the CVSS scale. The findings, posted to a GitHub repository, indicate that version 2.0.1 of the package is directly affected, posing a potential risk to any project that includes it as a dependency. The library, which replicates shell-style brace expansion, is a common utility in the Node.js ecosystem, making its exposure significant.

The primary vulnerability, tracked as CVE-2026-33750, is classified as a medium-severity issue. A second, lower-severity flaw, CVE-2025-5889 (CVSS 3.1), also exists and reportedly has a proof-of-concept exploit available. The alert shows that both vulnerabilities are 'direct' dependencies, meaning they are explicitly installed, and critically, no remediation or fixed version is currently available for the 2.0.1 release. The path to the vulnerable file is listed as `/node_modules/brace-expansion/package.json`.

This situation places immediate pressure on developers and security teams to audit their dependency trees. The absence of a patched version in the 2.0.1 line forces a difficult choice: accept the risk, seek alternative libraries, or attempt to downgrade to a potentially older, fixed version (1.1.12 is noted for the lower-severity CVE). The disclosure highlights the persistent challenge of securing open-source software supply chains, where a single, common utility can become a widespread attack vector if not promptly addressed by its maintainers.