The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
References
Configurations
No configuration.
History
21 Nov 2024, 09:42
Type | Values Removed | Values Added |
---|---|---|
References | () https://devhub.checkmarx.com/cve-details/CVE-2024-4068/ - | |
References | () https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff - | |
References | () https://github.com/micromatch/braces/issues/35 - | |
References | () https://github.com/micromatch/braces/pull/37 - | |
References | () https://github.com/micromatch/braces/pull/40 - |
03 Jul 2024, 02:07
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-400 |
22 May 2024, 12:15
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
|
Summary | (en) The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash. | |
References |
|
|
14 May 2024, 15:42
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-05-14 15:42
Updated : 2024-11-21 09:42
NVD link : CVE-2024-4068
Mitre link : CVE-2024-4068
CVE.ORG link : CVE-2024-4068
JSON object : View
Products Affected
No product.