Fluid Attacks Database

Description

Uncontrolled resource consumption in braces The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	braces	>=0 <3.0.3	3.0.3
debian 11	node-braces	=3.0.2+~3.0.0-1 \|\| =3.0.2+~3.0.1-1 \|\| =3.0.3+~3.0.4-1 \|\| =3.0.3+~3.0.5-1	-
debian 12	node-braces	=3.0.2+~3.0.1-1 \|\| =3.0.3+~3.0.4-1 \|\| =3.0.3+~3.0.5-1	-
debian 13	node-braces	>=0 <3.0.3+~3.0.4-1	3.0.3+~3.0.4-1
debian 14	node-braces	>=0 <3.0.3+~3.0.4-1	3.0.3+~3.0.4-1
rpm rhel9	nodejs-nodemon	-	-
rpm rhel8	nodejs-nodemon	-	-
rpm rhel8	pcs	-	-
rpm rhel9	pcs	-	-
rpm rhel6	firefox	-	-

1-10 of 14

Aliases

1. CVE-2024-40682. NVD-2024-40683. OSV-2024-40684. OSV-DEBIAN-2024-40685. GCVE-2024-40686. SECURITY-TRACKER-CVE-2024-4068

References

1. https://github.com/micromatch/braces/issues/352. https://github.com/micromatch/braces/pull/373. https://github.com/micromatch/braces/pull/404. https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff5. https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.