CVE-2024-4068
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
The NPM package braces, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| micromatch | braces | 0 <= 3.0.2 | affected |
Weaknesses
- CWE-1050: CWE-1050: Excessive Platform Resource Consumption within a Loop
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
CVE Program Container
Additional References
- https://github.com/micromatch/braces/issues/35
- https://devhub.checkmarx.com/cve-details/CVE-2024-4068/
- https://github.com/micromatch/braces/pull/37
- https://github.com/micromatch/braces/pull/40
- https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff
References
- https://github.com/micromatch/braces/issues/35
- https://devhub.checkmarx.com/cve-details/CVE-2024-4068/
- https://github.com/micromatch/braces/pull/37
- https://github.com/micromatch/braces/pull/40
- https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.