OESA-2026-1835
- Source
- https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-1835
- Import Source
- https://repo.openeuler.org/security/data/osv/OESA-2026-1835.json
- JSON Data
- https://api.osv.dev/v1/vulns/OESA-2026-1835
- Upstream
- Published
- 2026-04-11T14:03:18Z
- Modified
- 2026-04-11T14:17:30.421047Z
- Summary
- nodejs-brace-expansion security update
- Details
-
Brace expansion as known from sh/bash
Security Fix(es):
The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g.,
{1..2..0}) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed toexpand()to ensure a step value of0is not used.(CVE-2026-33750) - Database specific
{ "severity": "Medium" }- References
Affected packages
openEuler:20.03-LTS-SP4
nodejs-brace-expansion
Package
- Name
- nodejs-brace-expansion
- Purl
- pkg:rpm/openEuler/nodejs-brace-expansion&distro=openEuler-20.03-LTS-SP4
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.1.11-3.oe2003sp4
openEuler:22.03-LTS-SP4
nodejs-brace-expansion
Package
- Name
- nodejs-brace-expansion
- Purl
- pkg:rpm/openEuler/nodejs-brace-expansion&distro=openEuler-22.03-LTS-SP4
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.1.11-3.oe2203sp4
openEuler:24.03-LTS
nodejs-brace-expansion
Package
- Name
- nodejs-brace-expansion
- Purl
- pkg:rpm/openEuler/nodejs-brace-expansion&distro=openEuler-24.03-LTS
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.1.11-5.oe2403sp3
Ecosystem specific
{
"noarch": [
"nodejs-brace-expansion-1.1.11-5.oe2403.noarch.rpm",
"nodejs-brace-expansion-1.1.11-5.oe2403sp1.noarch.rpm",
"nodejs-brace-expansion-1.1.11-5.oe2403sp2.noarch.rpm",
"nodejs-brace-expansion-1.1.11-5.oe2403sp3.noarch.rpm"
],
"src": [
"nodejs-brace-expansion-1.1.11-5.oe2403.src.rpm",
"nodejs-brace-expansion-1.1.11-5.oe2403sp1.src.rpm",
"nodejs-brace-expansion-1.1.11-5.oe2403sp2.src.rpm",
"nodejs-brace-expansion-1.1.11-5.oe2403sp3.src.rpm"
]
}openEuler:24.03-LTS-SP1
nodejs-brace-expansion
Package
- Name
- nodejs-brace-expansion
- Purl
- pkg:rpm/openEuler/nodejs-brace-expansion&distro=openEuler-24.03-LTS-SP1
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.1.11-5.oe2403sp1
openEuler:24.03-LTS-SP2
nodejs-brace-expansion
Package
- Name
- nodejs-brace-expansion
- Purl
- pkg:rpm/openEuler/nodejs-brace-expansion&distro=openEuler-24.03-LTS-SP2
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.1.11-5.oe2403sp2
openEuler:24.03-LTS-SP3
nodejs-brace-expansion
Package
- Name
- nodejs-brace-expansion
- Purl
- pkg:rpm/openEuler/nodejs-brace-expansion&distro=openEuler-24.03-LTS-SP3
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.1.11-5.oe2403sp3