Memory Exhaustion in braces
CVE-2024-4068

7.5HIGH

Key Information:

Vendor: Micromatch
Status: Braces
Vendor: CVE Published:; 14 May 2024

What is CVE-2024-4068?

The NPM package 'braces', maintained by Micromatch, exhibits a vulnerability in its character handling capabilities prior to version 3.0.3. This weakness allows a malicious user to exploit the system by sending specially crafted imbalanced brace inputs, which in turn triggers an infinite loop within the parsing function located in 'lib/parse.js'. As the loop executes, the application continuously allocates heap memory without releasing it, ultimately leading to a crash when the allocated memory reaches the JavaScript heap limit. This vulnerability highlights the importance of robust input validation and memory management in software development.

Affected Version(s)

braces 0 <= 3.0.2

References

https://github.com/micromatch/braces/issues/35

https://devhub.checkmarx.com/cve-details/CVE-2024-4068/

https://github.com/micromatch/braces/pull/37

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2024

Credit

Mário Teixeira, Checkmarx Research Group

CVE-2024-4068 Data

JSON