GitHub Security Advisory Flags Critical brace-expansion Flaw: Zero-Step Sequence Triggers DoS via Memory Exhaustion

A high-severity vulnerability in the widely-used `brace-expansion` npm package allows remote attackers to trigger indefinite sequence generation loops, causing process hangs and memory exhaustion. Tracked as CVE-2026-33750 (GHSA-f886-m6hf-6m8v), the flaw affects all versions up to and including 2.1.0. The vulnerability stems from improper handling of brace patterns with a zero step value—such as `{1..2..0}`—which causes the sequence generation loop to run without terminating. A patch is available in version 5.0.5, and maintainers are urging immediate upgrades across all affected projects.

The brace-expansion library, maintained by Julian Gruber and downloaded millions of times weekly, powers file glob expansion in numerous build tools, CLI utilities, and Node.js frameworks. The zero-step flaw introduces a denial-of-service vector that requires minimal input to exploit. Attackers can trigger the condition by supplying a crafted brace pattern to any application that passes user-controlled input through the library's expansion function. The resulting infinite loop consumes CPU cycles and allocates memory until the host process crashes or the system runs out of resources.

The security advisory, published via GitHub's coordinated vulnerability disclosure process, highlights the risk to continuous integration pipelines, package managers, and development tools that commonly invoke brace expansion during routine operations. Downstream projects depending on vulnerable versions face exposure through automated build processes or script execution. Maintainers are advising users to audit their dependency trees for `brace-expansion@<=2.1.0` and apply the upgrade to 5.0.5 without delay. Organizations unable to update immediately should consider input validation guards that reject or sanitize brace patterns before passing them to the library.