CVE-2024-4068

May 14, 2024, 4:11 p.m.

7.5
High

Description

The NPM package `braces` fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

Product(s) Impacted

Product Versions
braces NPM package

Weaknesses

Common security weaknesses mapped to this vulnerability.

References

https://devhub.checkmarx.com/cve-details/CVE-2024-4068/
https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308
https://github.com/micromatch/braces/issues/35

Tags

2024-05-14
596c5446-0ce5-4ba2-aa66-48b3b757a647
CVE-2024-4068
CWE-1050

CVSS Score

7.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    View Vector String

Timeline

Published: May 14, 2024, 3:42 p.m.
Last Modified: May 14, 2024, 4:11 p.m.

Status : Awaiting Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

596c5446-0ce5-4ba2-aa66-48b3b757a647

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.