CVE-2024-4068

EUVD-2024-1632
The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CheckmarxCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 44%
Affected Products (NVD)
VendorProductVersion
jonschlinkertbraces
𝑥
< 3.0.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
node-braces
bookworm
no-dsa
bullseye
no-dsa
buster
postponed
forky
3.0.3+~3.0.5-1
fixed
sid
3.0.3+~3.0.5-1
fixed
trixie
3.0.3+~3.0.5-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
node-braces
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
mantic
ignored
noble
needs-triage
oracular
ignored
plucky
needs-triage
questing
needs-triage
Common Weakness Enumeration
References
https://devhub.checkmarx.com/cve-details/CVE-2024-4068/
https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff
https://github.com/micromatch/braces/issues/35
https://github.com/micromatch/braces/pull/37
https://github.com/micromatch/braces/pull/40
https://devhub.checkmarx.com/cve-details/CVE-2024-4068/
https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff
https://github.com/micromatch/braces/issues/35
https://github.com/micromatch/braces/pull/37
https://github.com/micromatch/braces/pull/40