CVE-2024-4068

Exploit

EPSS 0.23%
Veröffentlicht 14.05.2024 15:42:48
Zuletzt bearbeitet 31.12.2025 01:04:21
Quelle 596c5446-0ce5-4ba2-aa66-48b3b7
CVE-Watchlists
Login
Unerledigt
Login

The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Jonschlinkert ≫ Braces SwPlatformnode.js Version < 3.0.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.23%	0.448

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
596c5446-0ce5-4ba2-aa66-48b3b757a647	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-1050 Excessive Platform Resource Consumption within a Loop

The product has a loop body or loop condition that contains a control element that directly or indirectly consumes platform resources, e.g. messaging, sessions, locks, or file descriptors.

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

https://devhub.checkmarx.com/cve-details/CVE-2024-4068/

Third Party Advisory

https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff

Patch

https://github.com/micromatch/braces/issues/35

Issue Tracking

https://github.com/micromatch/braces/pull/37

Patch

Exploit

Issue Tracking

https://github.com/micromatch/braces/pull/40

Patch