7.5
CVE-2024-4068
- EPSS 1.47%
- Veröffentlicht 14.05.2024 15:42:48
- Zuletzt bearbeitet 31.12.2025 01:04:21
- Quelle 596c5446-0ce5-4ba2-aa66-48b3b7
- CVE-Watchlists
- Unerledigt
LoginMemory Exhaustion in braces
The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Jonschlinkert ≫ Braces SwPlatformnode.js Version < 3.0.3
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.47% | 0.704 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 596c5446-0ce5-4ba2-aa66-48b3b757a647 | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
CWE-1050 Excessive Platform Resource Consumption within a Loop
The product has a loop body or loop condition that contains a control element that directly or indirectly consumes platform resources, e.g. messaging, sessions, locks, or file descriptors.
CWE-400 Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
https://devhub.checkmarx.com/cve-details/CVE-2024-4068/
https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff
https://github.com/micromatch/braces/issues/35
https://github.com/micromatch/braces/pull/37
https://github.com/micromatch/braces/pull/40