CVE-2026-33750 (MEDIUM): detected in Lambda Docker Images.

[the-lambda-watchdog]

CVE Details

CVE ID	Severity	Affected Package	Installed Version	Fixed Version	Date Published	Date of Scan
CVE-2026-33750	MEDIUM	brace-expansion	1.1.12	5.0.5, 3.0.2, 2.0.3, 1.1.13	2026-03-27T15:16:57.297Z	2026-03-31T10:18:22.346488473Z

---

Affected Docker Images

Image Name	SHA
public.ecr.aws/lambda/nodejs:latest	public.ecr.aws/lambda/nodejs@sha256:a78cf0b19846d5d03dda89ed8736094884966fda693d56d3863d54e604301e88
public.ecr.aws/lambda/nodejs:24	public.ecr.aws/lambda/nodejs@sha256:c1d1d00b6833a26250d5454119dbcee276619c545fb9fed01d33424dbaa91e4e
public.ecr.aws/lambda/nodejs:22	public.ecr.aws/lambda/nodejs@sha256:a78cf0b19846d5d03dda89ed8736094884966fda693d56d3863d54e604301e88
public.ecr.aws/lambda/nodejs:20	public.ecr.aws/lambda/nodejs@sha256:afb1d5aad6c098615f5edd09e7dbfe5081ec2653c8e0ac0727168d9af4e9af48

---

Description

The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., {1..2..0}) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed to expand() to ensure a step value of 0 is not used.

---

Remediation Steps

• Update the affected package brace-expansion from version 1.1.12 to 5.0.5, 3.0.2, 2.0.3, 1.1.13.

About this issue

• This issue may not contain all the information about the CVE nor the images it affects.
• This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
• For more, visit Lambda Watchdog.
• This issue was created automatically by Lambda Watchdog.