CVE Details
| CVE ID |
Severity |
Affected Package |
Installed Version |
Fixed Version |
Date Published |
Date of Scan |
| CVE-2026-33750 |
MEDIUM |
brace-expansion |
1.1.12 |
5.0.5, 3.0.2, 2.0.3, 1.1.13 |
2026-03-27T15:16:57.297Z |
2026-03-31T10:18:22.346488473Z |
Affected Docker Images
| Image Name |
SHA |
public.ecr.aws/lambda/nodejs:latest |
public.ecr.aws/lambda/nodejs@sha256:a78cf0b19846d5d03dda89ed8736094884966fda693d56d3863d54e604301e88 |
public.ecr.aws/lambda/nodejs:24 |
public.ecr.aws/lambda/nodejs@sha256:c1d1d00b6833a26250d5454119dbcee276619c545fb9fed01d33424dbaa91e4e |
public.ecr.aws/lambda/nodejs:22 |
public.ecr.aws/lambda/nodejs@sha256:a78cf0b19846d5d03dda89ed8736094884966fda693d56d3863d54e604301e88 |
public.ecr.aws/lambda/nodejs:20 |
public.ecr.aws/lambda/nodejs@sha256:afb1d5aad6c098615f5edd09e7dbfe5081ec2653c8e0ac0727168d9af4e9af48 |
Description
The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., {1..2..0}) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed to expand() to ensure a step value of 0 is not used.
Remediation Steps
- Update the affected package
brace-expansion from version 1.1.12 to 5.0.5, 3.0.2, 2.0.3, 1.1.13.
About this issue
- This issue may not contain all the information about the CVE nor the images it affects.
- This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
- For more, visit Lambda Watchdog.
- This issue was created automatically by Lambda Watchdog.
