CVE Vulnerabilities

CVE-2026-13149

Uncontrolled Resource Consumption

Published: Jun 30, 2026 | Modified: Jun 30, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
7.5 IMPORTANT
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

brace-expansion through 5.0.6 is vulnerable to denial of service. The expand() function exhibits exponential-time complexity in the number of consecutive non-expanding {} brace groups. An attacker who passes a crafted string to expand(), directly or transitively, can cause significant CPU consumption and event-loop blocking. The max option does not mitigate this, as it bounds the output size rather than the recursion work.

Weakness

The product does not properly control the allocation and maintenance of a limited resource.

Affected Software

NameVendorStart VersionEnd Version
Red Hat Hardened ImagesRedHatnodejs26-main-26.4.0-1.3.hum1*
Red Hat Hardened ImagesRedHatnodejs24-main-24.18.0-0.2.hum1*
Red Hat Hardened ImagesRedHatnodejs22-main-22.23.1-2.hum1*

Potential Mitigations

  • Mitigation of resource exhaustion attacks requires that the target system either:

  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.

  • The second solution is simply difficult to effectively institute – and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.

References