search

micromatch / braces

Faster brace expansion for node.js. Besides being faster, braces is not subject to DoS attacks like minimatch, is more accurate, and has more complete support for Bash 4.3.
https://github.com/jonschlinkert
MIT License
220 stars 61 forks source link

Memory exhaustion issue in version 3.0.2 #43

Open srijit-prox opened 4 months ago

srijit-prox commented 4 months ago

Vulnerability Details:

Vulnerability ID: CVE-2024-4068

Vulnerability Source: NVD

CWEs: CWE-1050

Inspector Score: None

Exploit Prediction Scoring System (EPSS): 0.00045

Related Vulnerabilities: None

A security vulnerability (CVE-2024-4068) has been identified in the braces NPM package, version 3.0.2 and below. The package fails to limit the number of characters it can handle, which could lead to memory exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, causing the program to allocate heap memory continuously without freeing it. Eventually, this will lead to the JavaScript heap limit being reached and the program crashing.

n0099 commented 3 months ago

Already fixed in 3.0.3: https://github.com/micromatch/braces/pull/40