CVE-2024-4068

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-4068
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-4068.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-4068
Aliases
Downstream
Related
Published
2024-05-14T15:42:48Z
Modified
2025-10-21T22:38:43.354597Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

The NPM package braces, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

References

Affected packages

Git / github.com/micromatch/braces

Affected ranges

Type
GIT
Repo
https://github.com/micromatch/braces
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
415d660c3002d1ab7e63dbf490c9851da80596ff

Affected versions

0.*

0.1.4

1.*

1.0.0
1.1.0
1.2.0
1.3.0
1.4.0
1.5.0
1.5.1
1.7.0
1.8.0
1.8.1
1.8.2
1.8.3
1.8.4
1.8.5

2.*

2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.1.0
2.1.1
2.2.0
2.2.1
2.2.2
2.3.0
2.3.1

3.*

3.0.1
3.0.2