High severityNVD Advisory· Published May 13, 2024· Updated Nov 6, 2024
Memory Exhaustion in braces
CVE-2024-4068
Description
The NPM package braces, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bracesnpm | < 3.0.3 | 3.0.3 |
Affected products
93- osv-coords92 versionspkg:apk/chainguard/argo-workflow-clipkg:apk/chainguard/argo-workflow-controllerpkg:apk/chainguard/argo-workflow-controller-compatpkg:apk/chainguard/argo-workflow-executorpkg:apk/chainguard/argo-workflow-executor-compatpkg:apk/chainguard/argo-workflowspkg:apk/chainguard/argo-workflows-known-hostspkg:apk/chainguard/argo-workflows-uipkg:apk/chainguard/argo-workflows-ui-3.7pkg:apk/chainguard/kibana-7pkg:apk/chainguard/kibana-7.17pkg:apk/chainguard/kibana-7-bitnamipkg:apk/chainguard/kubeflow-pipelines-frontendpkg:apk/chainguard/lernapkg:apk/chainguard/opensearch-dashboards-2pkg:apk/chainguard/opensearch-dashboards-2-alerting-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-anomaly-detection-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-compatpkg:apk/chainguard/opensearch-dashboards-2-configpkg:apk/chainguard/opensearch-dashboards-2-dashboards-mapspkg:apk/chainguard/opensearch-dashboards-2-dashboards-notificationspkg:apk/chainguard/opensearch-dashboards-2-dashboards-observabilitypkg:apk/chainguard/opensearch-dashboards-2-dashboards-query-workbenchpkg:apk/chainguard/opensearch-dashboards-2-dashboards-reportingpkg:apk/chainguard/opensearch-dashboards-2-dashboards-search-relevancepkg:apk/chainguard/opensearch-dashboards-2-dashboards-visualizationspkg:apk/chainguard/opensearch-dashboards-2-fipspkg:apk/chainguard/opensearch-dashboards-2-fips-alerting-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-anomaly-detection-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-configpkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-mapspkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-notificationspkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-observabilitypkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-query-workbenchpkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-reportingpkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-search-relevancepkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-visualizationspkg:apk/chainguard/opensearch-dashboards-2-fips-index-management-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-ml-commons-dashboardspkg:apk/chainguard/opensearch-dashboards-2-fips-security-analytics-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-security-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-index-management-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-ml-commons-dashboardspkg:apk/chainguard/opensearch-dashboards-2-security-analytics-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-security-dashboards-pluginpkg:apk/wolfi/argo-workflow-clipkg:apk/wolfi/argo-workflow-controllerpkg:apk/wolfi/argo-workflow-controller-compatpkg:apk/wolfi/argo-workflow-executorpkg:apk/wolfi/argo-workflow-executor-compatpkg:apk/wolfi/argo-workflowspkg:apk/wolfi/argo-workflows-known-hostspkg:apk/wolfi/argo-workflows-uipkg:apk/wolfi/argo-workflows-ui-3.7pkg:apk/wolfi/kubeflow-pipelines-frontendpkg:apk/wolfi/lernapkg:apk/wolfi/opensearch-dashboards-2pkg:apk/wolfi/opensearch-dashboards-2-alerting-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-anomaly-detection-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-compatpkg:apk/wolfi/opensearch-dashboards-2-configpkg:apk/wolfi/opensearch-dashboards-2-dashboards-mapspkg:apk/wolfi/opensearch-dashboards-2-dashboards-notificationspkg:apk/wolfi/opensearch-dashboards-2-dashboards-observabilitypkg:apk/wolfi/opensearch-dashboards-2-dashboards-query-workbenchpkg:apk/wolfi/opensearch-dashboards-2-dashboards-reportingpkg:apk/wolfi/opensearch-dashboards-2-dashboards-search-relevancepkg:apk/wolfi/opensearch-dashboards-2-dashboards-visualizationspkg:apk/wolfi/opensearch-dashboards-2-index-management-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-ml-commons-dashboardspkg:apk/wolfi/opensearch-dashboards-2-security-analytics-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-security-dashboards-pluginpkg:npm/bracespkg:rpm/opensuse/pgadmin4&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/traefik2&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/traefik&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/velociraptor&distro=openSUSE%20Tumbleweedpkg:rpm/suse/pgadmin4&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/pgadmin4&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/pgadmin4&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/pgadmin4&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/pgadmin4&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/pgadmin4&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/pgadmin4&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP6pkg:rpm/suse/pgadmin4&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/pgadmin4&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/pgadmin4&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/pgadmin4&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/pgadmin4&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/pgadmin4&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/pgadmin4&distro=SUSE%20Manager%20Proxy%204.3pkg:rpm/suse/pgadmin4&distro=SUSE%20Manager%20Server%204.3
< 3.6.5-r2+ 91 more
- (no CPE)range: < 3.6.5-r2
- (no CPE)range: < 3.6.5-r2
- (no CPE)range: < 3.6.5-r2
- (no CPE)range: < 3.6.5-r2
- (no CPE)range: < 3.6.5-r2
- (no CPE)range: < 3.6.5-r2
- (no CPE)range: < 3.6.5-r2
- (no CPE)range: < 3.6.5-r2
- (no CPE)range: < 3.7.13-r2
- (no CPE)range: < 7.17.23-r0
- (no CPE)range: < 7.17.29-r0
- (no CPE)range: < 7.17.23-r0
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 8.1.4-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 3.6.5-r2
- (no CPE)range: < 3.6.5-r2
- (no CPE)range: < 3.6.5-r2
- (no CPE)range: < 3.6.5-r2
- (no CPE)range: < 3.6.5-r2
- (no CPE)range: < 3.6.5-r2
- (no CPE)range: < 3.6.5-r2
- (no CPE)range: < 3.6.5-r2
- (no CPE)range: < 3.7.13-r2
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 8.1.4-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 3.0.3
- (no CPE)range: < 8.5-150600.3.6.1
- (no CPE)range: < 2.11.8-1.1
- (no CPE)range: < 3.1.2-1.1
- (no CPE)range: < 0.7.0.4.git142.862ef23-1.1
- (no CPE)range: < 4.30-150300.3.18.1
- (no CPE)range: < 4.30-150300.3.18.1
- (no CPE)range: < 4.30-150300.3.18.1
- (no CPE)range: < 4.30-150300.3.18.1
- (no CPE)range: < 4.30-150300.3.18.1
- (no CPE)range: < 4.30-150300.3.18.1
- (no CPE)range: < 8.5-150600.3.6.1
- (no CPE)range: < 4.30-150300.3.18.1
- (no CPE)range: < 4.30-150300.3.18.1
- (no CPE)range: < 4.30-150300.3.18.1
- (no CPE)range: < 4.30-150300.3.18.1
- (no CPE)range: < 4.30-150300.3.18.1
- (no CPE)range: < 4.30-150300.3.18.1
- (no CPE)range: < 4.30-150300.3.18.1
- (no CPE)range: < 4.30-150300.3.18.1
- micromatch/bracesv5Range: 0
Patches
Vulnerability mechanics
References
9- github.com/advisories/GHSA-grv7-fg5c-xmjgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-4068ghsaADVISORY
- devhub.checkmarx.com/cve-details/CVE-2024-4068ghsaWEB
- github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.jsghsaWEB
- github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ffghsaWEB
- github.com/micromatch/braces/issues/35ghsaWEB
- github.com/micromatch/braces/pull/37ghsaWEB
- github.com/micromatch/braces/pull/40ghsaWEB
- devhub.checkmarx.com/cve-details/CVE-2024-4068/mitre
News mentions
0No linked articles in our index yet.