CVE-2026-25547

Aliases:GHSA-7h2j-956f-4vf2

Advisory lineage Upstream: 0 Downstream: 45

Downstream

DEBIAN-CVE-2026-25547 OPENSUSE-SU-2026:10168-1 OPENSUSE-SU-2026:10236-1 OPENSUSE-SU-2026:10250-1 OPENSUSE-SU-2026:10251-1 OPENSUSE-SU-2026:10252-1

Deferred

Published: 04 Feb 2026, 21:51

Last modified:05 Feb 2026, 14:31

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.2 CRITICAL

v4.0 (cve.org)

EPSS Score

0.02% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

04 Feb 2026, 21:51

Published

Vulnerability first disclosed

05 Feb 2026, 14:31

Last Modified

Vulnerability information updated

Description

@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.

CVSS Metrics

v4.0•CRITICAL•Score: 9.2CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
v4.0•CRITICAL•Score: 9.2CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
v4.0•HIGH•Score: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS Trends

Current EPSS score: 0.02%• Percentile: 6%

Techniques & Countermeasures

CWE-1333•Inefficient Regular Expression Complexity
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

Affected Systems

isaacs•brace-expansion
< 5.0.1
@isaacs•brace-expansion
< 5.0.1