CVE-2026-25547: Critical npm Library Flaw Allows Single Request to Crash Node.js Applications

Aegiron 7 mins0

CVE-2026-25547 — Algorithmic Denial of Service in @isaacs/brace-expansion

CVE ID: CVE-2026-25547
Package: @isaacs/brace-expansion (npm)
Affected Versions: All versions prior to 5.0.1
Fixed Version: 5.0.1 and later
CVSS Score: 9.2
Severity: Critical
Vulnerability Type: Algorithmic Denial of Service (DoS)
Exploitability: Low complexity, no authentication required
Exploit Availability: Public proof-of-concept exists (educational and defensive testing only)
Impact: Process crash, service unavailability, resource exhaustion

Official Patch / Upgrade Link:
https://www.npmjs.com/package/@isaacs/brace-expansion

Overview

A critical Algorithmic Denial of Service vulnerability has been identified in the @isaacs/brace-expansion npm package. The issue affects versions earlier than 5.0.1 and is triggered when specially crafted brace patterns are processed. Due to inefficient expansion logic, certain inputs result in exponential growth of computed combinations, causing excessive CPU and memory consumption. This behavior leads to application slowdown, event-loop blocking, or complete Node.js process crashes.

Affected Component

  • Library: @isaacs/brace-expansion
  • Language Runtime: Node.js
  • Usage Context: Glob expansion, pattern matching, file path resolution, build tools, and input parsing logic

Vulnerability Details

The vulnerability is caused by unbounded and synchronous expansion of numeric brace ranges. When multiple brace ranges are concatenated, the library attempts to fully materialize every possible combination in memory. This results in a combinatorial explosion.

For example, a single numeric range may expand to tens or hundreds of values. When multiple such ranges are chained together, the resulting expansion grows exponentially. The expansion is executed synchronously and without safeguards, leading to memory exhaustion and CPU saturation.

Impact

  • Availability Impact: High
  • Confidentiality Impact: None
  • Integrity Impact: None

Successful exploitation results in denial of service by crashing the Node.js process or rendering the service unresponsive. This impact is particularly severe for APIs and services that accept user-controlled input and perform brace expansion during request handling.

Exploitation Details

Exploitation is achieved by submitting crafted input containing repeated numeric brace ranges. No authentication, privileges, or user interaction are required. A single request can be sufficient to trigger the condition.

The exploit does not require malformed input; syntactically valid brace expressions are enough to cause failure.

Proof of Concept (Educational)

The following example demonstrates how the vulnerability can be triggered in a controlled environment. This code must only be used for security testing and educational purposes.

const { expand } = require('@isaacs/brace-expansion');

const payload = '{0..99}{0..99}{0..99}{0..99}{0..99}';
expand(payload);

When executed on a vulnerable version, this code causes excessive memory allocation and CPU usage, often resulting in a fatal out-of-memory error or application freeze.

Attack Scenarios

  • Public-facing APIs that accept pattern-based parameters
  • Build or CI pipelines processing untrusted configuration files
  • Developer tools or CLIs processing external input
  • Web applications using glob or pattern expansion on request data

MITRE Classification

  • CWE-1333: Inefficient Algorithmic Complexity
  • Attack Category: Denial of Service (Resource Exhaustion)

Detection Strategy

Log Sources

  • Application logs (Node.js stdout/stderr)
  • Process manager logs (PM2, systemd, Docker)
  • API gateway or reverse proxy logs
  • Application performance monitoring metrics
  • Web server access logs

Indicators of Compromise

  • Sudden spikes in memory or CPU usage
  • Node.js fatal errors related to heap exhaustion
  • Repeated application restarts
  • Requests containing excessive brace expressions
  • Event-loop blocking and degraded response times

Detection Rules

Application Log Detection

log.level = "error" AND
message CONTAINS "heap out of memory"

Request Payload Pattern Detection

request.body MATCHES "\{\d+\.\.\d+\}(\{\d+\.\.\d+\}){2,}"

API Gateway / WAF Detection

count("{") >= 4 AND
request.body CONTAINS ".."

Runtime Resource Monitoring

process.name = "node" AND
memory.usage.percent > 80 AND
cpu.usage.percent > 85

Crash Loop Detection

process.exit.code != 0 AND
restart.count >= 3 WITHIN 5 minutes

Mitigation

  • Immediate upgrade to version 5.0.1 or later
  • Input validation to restrict brace range size and count
  • Rejection of untrusted or overly complex patterns
  • Resource limits on Node.js processes
  • Isolation of pattern expansion logic from request-handling threads

Remediation

The vulnerability is fully addressed by upgrading to the patched version of the package. No workaround provides equivalent protection.

Official Upgrade Location:
https://www.npmjs.com/package/@isaacs/brace-expansion

Final Takeaway

This vulnerability represents a high-risk availability issue due to its simplicity and reliability. Because exploitation requires minimal effort and no authentication, all environments using affected versions should be treated as exposed. Patching should be prioritized, especially for internet-facing services and automation pipelines.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.