CVE-2024-4068
Last modified
CVE-2024-4068 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. EPSS estimates a 1.47% chance of exploitation in the next 30 days.
Description
The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Jonschlinkert | Braces | < 3.0.3 |
References
- https://devhub.checkmarx.com/cve-details/CVE-2024-4068/Third Party Advisory
- https://github.com/micromatch/braces/issues/35Issue Tracking
- https://github.com/micromatch/braces/pull/37Exploit, Issue Tracking, Patch
- https://github.com/micromatch/braces/pull/40Issue Tracking, Patch
- https://devhub.checkmarx.com/cve-details/CVE-2024-4068/Third Party Advisory
- https://github.com/micromatch/braces/issues/35Issue Tracking
- https://github.com/micromatch/braces/pull/37Exploit, Issue Tracking, Patch
- https://github.com/micromatch/braces/pull/40Issue Tracking, Patch
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2024-4068?
How severe is CVE-2024-4068?
How do I fix CVE-2024-4068?
Are you affected by CVE-2024-4068?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST