What is GHSA-jxxr-4gwj-5jf2?

GHSA-jxxr-4gwj-5jf2 is a security advisory published by GitHub Security Advisories with Medium severity. brace-expansion: Large numeric range defeats documented `max` DoS protection

Which CVE IDs does GHSA-jxxr-4gwj-5jf2 cover?

GHSA-jxxr-4gwj-5jf2 covers the following CVE IDs: CVE-2026-45149. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-jxxr-4gwj-5jf2?

GHSA-jxxr-4gwj-5jf2 has a CVSS v3 base score of 6.5, published by GitHub Security Advisories.

Which products are affected by GHSA-jxxr-4gwj-5jf2?

GHSA-jxxr-4gwj-5jf2 affects 1 product, including: npm/brace-expansion:\u003e= 5.0.0, \u003c 5.0.6.

GHSA-jxxr-4gwj-5jf2MediumCVSS 6.5

brace-expansion: Large numeric range defeats documented `max` DoS protection

Vendor

GitHub Security Advisories

Published

May 18, 2026

Last Modified

May 18, 2026

🔗 CVE IDs covered (1)

CVE-2026-45149 →

📋 Description

The `max` option was being applied too late: When expanding a single large numeric range like `{1..10000000}`, the sequence generation loop generates all 10 million intermediate elements before the `max` limit is applied With `max=10`, the output is correctly limited to 10 items, but the process still allocates `~505 MB` and spends `~800ms` building the full intermediate array. ### Workaround Ensure the string to be expanded doesn't contain more values than the desired `max` item count.

🎯 Affected products1

npm/brace-expansion:>= 5.0.0, < 5.0.6

🔗 References (3)

https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-jxxr-4gwj-5jf2
https://github.com/juliangruber/brace-expansion/commit/c0b095bdc52bc4c36dc88deddbadabc49f8371e5
https://github.com/advisories/GHSA-jxxr-4gwj-5jf2