CVE-2026-25547

medium

Red Hat

CVSS v3 Base Score

6.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Published: February 4, 2026

Last Modified: February 4, 2026

Vendor: Red Hat

Description

@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.

CWE

CWE-409

Affected Products

Cryostat 4Logging Subsystem for Red Hat OpenShiftMigration Toolkit for Applications 8Node HealthCheck OperatorRed Hat 3scale API Management Platform 2Red Hat Advanced Cluster Management for Kubernetes 2Red Hat AMQ Broker 7Red Hat Ansible Automation Platform 2Red Hat build of Apache Camel - HawtIO 4Red Hat build of Apicurio Registry 2

References

🔗 bugzilla.redhat.com 🔗 www.cve.org 🔗 nvd.nist.gov 🔗 github.com

CVE-2026-25547

Vulnerability Report

Description

CWE

Affected Products

References