CVE CyberSecurity Database News

CVE-2024-4068: Memory Exhaustion Vulnerability in NPM Package "braces" (versions < 3..3)

Poster -

A recent vulnerability has been discovered in the NPM package "braces" versions prior to 3..3. This vulnerability, designated as CVE-2024-4068, can lead to memory exhaustion and crash the program by causing it to reach the JavaScript heap limit. This vulnerability can be exploited by a malicious user who sends "imbalanced braces" as input, triggering an infinite loop in the package's parsing.

Details

A critical part of the issue lies within the lib/parse.js file of the braces package. When a user provides the program imbalanced braces as input, it will enter an infinite loop and start allocating heap memory without ever freeing it during the loop's execution. Eventually, the allocated memory reaches a point where the JavaScript heap limit is reached, resulting in the program crashing.

Here's the snippet of the code section relevant to the vulnerability in lib/parse.js

function parse(input) {
  var stack = [];
  for (var i = ; i < input.length; i++) {
    var char = input[i];
    if (char === '{') {
      stack.push(i);
    } else if (char === '}') {
      if (stack.length > ) {
        stack.pop();
      } else {
        throw new Error("Imbalanced braces at position " + i);
      }
    }
  }
  return stack.length === ;
}

The vulnerability can be triggered by sending imbalanced braces as input to the parse function

parse('{{{{{{{'); // This will trigger the infinite loop

The input above has an uneven balance of opening and closing braces, and the program will never find a matching closing brace for each opening brace, resulting in an infinite loop and causing memory exhaustion.

Exploit

To exploit this vulnerability, a malicious user can craft a payload that takes advantage of the imbalanced braces, triggering the memory exhaustion issue. An example of a payload could be a large number of imbalanced opening braces ({) sent as input to the affected program.

Mitigation

To address this vulnerability, users should update their systems to brace package version 3..3 or newer if available.

Original references regarding this vulnerability can be found at the following sources

- NPM braces package
- GitHub braces repository

Conclusion

CVE-2024-4068 is a serious vulnerability that could pose a significant risk to users of the braces NPM package. It is crucial for users to be aware of this issue and take appropriate steps to mitigate it, such as updating to the latest version of the package. By staying informed and taking prompt action, users can help ensure the continued security of their applications and systems.

Timeline

Published on: 05/14/2024 15:42:48 UTC
Last modified on: 07/03/2024 02:07:03 UTC