Vulnerable Library - react-pdf-9.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (react-pdf version) |
Remediation Possible** |
| CVE-2026-33750 |
 Medium |
6.5 |
brace-expansion-1.1.12.tgz |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-33750
Vulnerable Library - brace-expansion-1.1.12.tgz
Brace expansion as known from sh/bash
Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-pdf-9.0.0.tgz (Root Library)
- pdfjs-dist-4.3.136.tgz
- canvas-2.11.2.tgz
- node-pre-gyp-1.0.11.tgz
- rimraf-3.0.2.tgz
- glob-7.2.3.tgz
- minimatch-3.1.5.tgz
- ❌ brace-expansion-1.1.12.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., "{1..2..0}") causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed to "expand()" to ensure a step value of "0" is not used.
Publish Date: 2026-03-27
URL: CVE-2026-33750
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/juliangruber/brace-expansion.git - v2.0.3,https://github.com/juliangruber/brace-expansion.git - v5.0.5,https://github.com/juliangruber/brace-expansion.git - v1.1.13,https://github.com/juliangruber/brace-expansion.git - v3.0.2
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - brace-expansion-1.1.12.tgz
Brace expansion as known from sh/bash
Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., "{1..2..0}") causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed to "expand()" to ensure a step value of "0" is not used.
Publish Date: 2026-03-27
URL: CVE-2026-33750
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/juliangruber/brace-expansion.git - v2.0.3,https://github.com/juliangruber/brace-expansion.git - v5.0.5,https://github.com/juliangruber/brace-expansion.git - v1.1.13,https://github.com/juliangruber/brace-expansion.git - v3.0.2