UBUNTU-CVE-2026-13149

Source
https://ubuntu.com/security/CVE-2026-13149
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-13149.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-13149
Upstream
  • CVE-2026-13149
Published
2026-06-30T10:16:00Z
Modified
2026-07-01T21:19:39Z
Severity
  • 7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/S:N/AU:Y/R:U/V:D/RE:M/U:Amber CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

brace-expansion through 5.0.6 is vulnerable to denial of service. The expand() function exhibits exponential-time complexity in the number of consecutive non-expanding '{}' brace groups. An attacker who passes a crafted string to expand(), directly or transitively, can cause significant CPU consumption and event-loop blocking. The max option does not mitigate this, as it bounds the output size rather than the recursion work.

References

Affected packages

Ubuntu:18.04:LTS
node-brace-expansion

Package

Name
node-brace-expansion
Purl
pkg:deb/ubuntu/node-brace-expansion?arch=source&distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.1.8-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.1.8-1",
            "binary_name": "node-brace-expansion"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-13149.json"
Ubuntu:20.04:LTS
node-brace-expansion

Package

Name
node-brace-expansion
Purl
pkg:deb/ubuntu/node-brace-expansion?arch=source&distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.1.8-1
1.1.11-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.1.11-1",
            "binary_name": "node-brace-expansion"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-13149.json"
Ubuntu:22.04:LTS
node-brace-expansion

Package

Name
node-brace-expansion
Purl
pkg:deb/ubuntu/node-brace-expansion?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.0.0-1
2.0.1-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2.0.1-1",
            "binary_name": "node-brace-expansion"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-13149.json"
Ubuntu:24.04:LTS
node-brace-expansion

Package

Name
node-brace-expansion
Purl
pkg:deb/ubuntu/node-brace-expansion?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.0.1-2
2.0.1+~1.1.0-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2.0.1+~1.1.0-1",
            "binary_name": "node-brace-expansion"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-13149.json"
Ubuntu:25.10
node-brace-expansion

Package

Name
node-brace-expansion
Purl
pkg:deb/ubuntu/node-brace-expansion?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.0.1+~1.1.0-1
2.0.1+~1.1.0-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2.0.1+~1.1.0-2",
            "binary_name": "node-brace-expansion"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-13149.json"
Ubuntu:26.04:LTS
node-brace-expansion

Package

Name
node-brace-expansion
Purl
pkg:deb/ubuntu/node-brace-expansion?arch=source&distro=resolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.0.1+~1.1.0-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2.0.1+~1.1.0-2",
            "binary_name": "node-brace-expansion"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-13149.json"