CVE-2024-4068

The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Configurations

No configuration.

History

21 Nov 2024, 09:42

Type Values Removed Values Added
References () https://devhub.checkmarx.com/cve-details/CVE-2024-4068/ - () https://devhub.checkmarx.com/cve-details/CVE-2024-4068/ -
References () https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff - () https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff -
References () https://github.com/micromatch/braces/issues/35 - () https://github.com/micromatch/braces/issues/35 -
References () https://github.com/micromatch/braces/pull/37 - () https://github.com/micromatch/braces/pull/37 -
References () https://github.com/micromatch/braces/pull/40 - () https://github.com/micromatch/braces/pull/40 -

03 Jul 2024, 02:07

Type Values Removed Values Added
CWE CWE-400

22 May 2024, 12:15

Type Values Removed Values Added
Summary
  • (es) El paquete NPM "braces" no limita la cantidad de caracteres que puede manejar, lo que podría provocar agotamiento de la memoria. En `lib/parse.js`, si un usuario malintencionado envía "imbalanced braces" como entrada, el análisis entrará en un bucle, lo que hará que el programa comience a asignar memoria de montón sin liberarla en ningún momento del bucle. Finalmente, se alcanza el límite del montón de JavaScript y el programa fallará.
Summary (en) The NPM package `braces` fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash. (en) The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
References
  • {'url': 'https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308', 'source': '596c5446-0ce5-4ba2-aa66-48b3b757a647'}
  • () https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff -
  • () https://github.com/micromatch/braces/pull/37 -
  • () https://github.com/micromatch/braces/pull/40 -

14 May 2024, 15:42

Type Values Removed Values Added
New CVE

Information

Published : 2024-05-14 15:42

Updated : 2024-11-21 09:42


NVD link : CVE-2024-4068

Mitre link : CVE-2024-4068

CVE.ORG link : CVE-2024-4068


JSON object : View

Products Affected

No product.

CWE
CWE-1050

Excessive Platform Resource Consumption within a Loop

CWE-400

Uncontrolled Resource Consumption