Home > Vulnerability Database > CVE-2024-4068

Mend.io Vulnerability Database

CVE-2024-4068

Good to know:

Date: May 13, 2024

The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

Language: JS

Severity Score

7.5

Related Resources (10)

Url: https://github.com/micromatch/braces/pull/40

Url: https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff

Url: https://github.com/micromatch/braces

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-4068

Url: https://github.com/micromatch/braces/pull/37

Url: https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308

Url: https://github.com/micromatch/braces/issues/35

Url: https://devhub.checkmarx.com/cve-details/CVE-2024-4068/

Url: https://devhub.checkmarx.com/cve-details/CVE-2024-4068

Url: https://www.mend.io/vulnerability-database/CVE-2024-4068

Severity Score

7.5

Weakness Type (CWE)

Uncontrolled Resource Consumption ('Resource Exhaustion')

CWE-400

Excessive Platform Resource Consumption within a Loop

CWE-1050

Top Fix

Upgrade Version

Upgrade to version braces - 3.0.3

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-4068

Good to know:

Date: May 13, 2024

Language: JS

Severity Score

Related Resources (10)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?