CVE-2026-45149: brace-expansion: Large numeric range defeats documented `max` DoS protection

May 18, 2026 (updated June 9, 2026)

The max option was being applied too late:

When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 million intermediate elements before the max limit is applied With max=10, the output is correctly limited to 10 items, but the process still allocates ~505 MB and spends ~800ms building the full intermediate array.

References

github.com/advisories/GHSA-jxxr-4gwj-5jf2
github.com/juliangruber/brace-expansion/commit/c0b095bdc52bc4c36dc88deddbadabc49f8371e5
github.com/juliangruber/brace-expansion/security/advisories/GHSA-jxxr-4gwj-5jf2
nvd.nist.gov/vuln/detail/CVE-2026-45149

Code Behaviors & Features

Detect and mitigate CVE-2026-45149 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →