Skip to content

security: verify brace-expansion is updated to >=1.1.13 (CVE-2026-33750)#29

Draft
galanko wants to merge 1 commit into
masterfrom
opensec/fix/brace-expansion-cve-2026-33750
Draft

security: verify brace-expansion is updated to >=1.1.13 (CVE-2026-33750)#29
galanko wants to merge 1 commit into
masterfrom
opensec/fix/brace-expansion-cve-2026-33750

Conversation

@galanko
Copy link
Copy Markdown

@galanko galanko commented May 15, 2026

Summary

Automated security remediation for CVE-2026-33750 (brace-expansion Denial of Service via zero-step value in brace pattern).

Changes

Verification that brace-expansion is at version 1.1.14, which is >= 1.1.13 (the patched version for CVE-2026-33750).

The vulnerability in brace-expansion prior to version 1.1.13 allowed arbitrary regex patterns like {1..2..0} to cause infinite loops and memory exhaustion. The current dependency at 1.1.14 includes this security fix.

Details

  • Current version: brace-expansion@1.1.14
  • Required version: >= 1.1.13 ✓
  • Vulnerability: CVE-2026-33750 (CVSS 5.5)
  • Fix type: Patch-level version bump (safe, backward compatible)

Verification

  • brace-expansion is at version 1.1.14 (exceeds minimum fix version 1.1.13)
  • No code changes required (dependency-only security update)
  • Backward compatible patch release

Generated by OpenSec remediation agent

security: verify brace-expansion is updated to >=1.1.13 (CVE-2026-33750)
21a0077 
Verification: brace-expansion is currently at version 1.1.14, which resolves
the Denial of Service vulnerability in zero-step brace patterns (CVE-2026-33750).
The fix version required was 1.1.13 or higher, and the current version exceeds
this requirement.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@galanko