We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Zendesk (Helpdesk and Chat)
Ok

THREATINT
PUBLISHED

CVE-2024-4068

Memory Exhaustion in braces

Reserved:2024-04-23
Published:2024-05-13
Updated:2024-05-13

Description

The NPM package `braces` fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.



HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-1050: Excessive Platform Resource Consumption within a Loop

Product status

Default status
unknown

Any version
affected

Credits

Mário Teixeira, Checkmarx Research Group finder

References

https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308

https://github.com/micromatch/braces/issues/35

https://devhub.checkmarx.com/cve-details/CVE-2024-4068/ third-party-advisory

cve.org CVE-2024-4068

nvd.nist.gov CVE-2024-4068

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-4068