CVE-2024-4068
HIGHbraces < 3.0.3 - Denial of Service via Imbalanced Braces Input
Title source: llmDescription
The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
References (5)
Core 5
Core References
Third Party Advisory
https://devhub.checkmarx.com/cve-details/CVE-2024-4068/
Issue Tracking
https://github.com/micromatch/braces/issues/35
Exploit, Issue Tracking, Patch
https://github.com/micromatch/braces/pull/37
Issue Tracking, Patch
https://github.com/micromatch/braces/pull/40
Scores
CVSS v3
7.5
EPSS
0.0020
EPSS Percentile
42.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-1050
CWE-400
Status
published
Products (2)
jonschlinkert/braces
< 3.0.3
npm/braces
0 - 3.0.3npm
Published
May 14, 2024
Tracked Since
Feb 18, 2026