CVE-2024-4068

CVE-2024-4068

The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

Published May 15, 2024

https://github.com/micromatch/braces/issues/35 https://github.com/micromatch/braces/pull/37

CVSS ScoreHigh

7.5

Vulnerabilities

CVE-2024-4068

Published May 15, 2024

https://github.com/micromatch/braces/issues/35 https://github.com/micromatch/braces/pull/37

CVSS ScoreHigh

7.5

CVE-2024-4068 Security Details

CVE ID: CVE-2024-4068
CWE: CWE-1050
CWE-400
CVE Description: The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Published: May 15, 2024
CVSS Score & Severity: 7.5High
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score: 0.225%
Malware: malware
KEV Status: Not in KEV Catalog: No known exploits
Affected Ecosystems: affected
Source: National Vulnerability Database
References: https://github.com/micromatch/braces/issues/35PROJECT
https://github.com/micromatch/braces/pull/37PROJECT

CVE-2024-4068 Security Details

CVE ID: CVE-2024-4068
CWE: CWE-1050
CWE-400
CVE Description: The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Published: May 15, 2024
CVSS Score & Severity: 7.5High
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score: 0.225%
Malware: malware
KEV Status: Not in KEV Catalog: No known exploits
Affected Ecosystems: affected
Source: National Vulnerability Database
References: https://github.com/micromatch/braces/issues/35PROJECT
https://github.com/micromatch/braces/pull/37PROJECT

Find vulnerabilities. Fix fast with AI.

CVE-2024-4068

CVE-2024-4068 Security Details

CVE-2024-4068 Security Details