Brace-Expansion Library Denial-of-Service Vulnerability via Large Numeric Range Expansion

A denial-of-service vulnerability has been identified in the brace-expansion library, specifically in versions 5.0.0 prior to 5.0.6. The issue arises because the 'max' option is applied too late when expanding large numeric ranges. For example, expanding a range like {1..10000000} generates all 10 million intermediate elements before the 'max' limit is applied. Although the output can be correctly limited to 10 items with 'max=10', the process still consumes approximately 505 MB of memory and takes around 800 milliseconds to build the full intermediate array. This vulnerability allows for significant resource allocation, potentially leading to a denial-of-service condition.

Impact

Exploitation of this vulnerability causes high memory usage and processing time, leading to a denial-of-service condition.

Remediation

Users can upgrade to brace-expansion version 5.0.6 to address this vulnerability. Alternatively, ensure that the string being expanded does not contain more values than the desired maximum item count.