7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-4068

GHSA ID

GHSA-grv7-fg5c-xmjg

EPSS Score

0.45177%

CWE

CWE-400

Published

5/14/2024

Updated

7/5/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-4068

CVE-2024-4068: Uncontrolled resource consumption in braces

The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-4068

GHSA ID

GHSA-grv7-fg5c-xmjg

EPSS Score

0.45177%

CWE

CWE-400

Published

5/14/2024

Updated

7/5/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
braces	npm	< 3.0.3	3.0.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the parse function's loop structure in lib/parse.js. Key evidence includes:

The commit diff shows critical changes to the stack processing loop that previously caused unbounded memory growth
The removed validate-input.js and MAX_SYMBOLS checks indicate insufficient input validation
Multiple sources explicitly reference line 308 in parse.js (pre-patch) as the vulnerable loop
The patch focused on simplifying the loop structure and reducing default MAX_LENGTH to prevent exploitation
CWE-1050 (Excessive Platform Resource Consumption within a Loop) directly maps to this recursive block processing pattern

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** NPM p**k*** `*r***s` **ils to limit t** num**r o* ***r**t*rs it **n **n*l*, w*i** *oul* l*** to M*mory *x**ustion. In `li*/p*rs*.js,` i* * m*li*ious us*r s*n*s "im**l*n*** *r***s" *s input, t** p*rsin* will *nt*r * loop, w*i** will **us* t** pro*

Reasoning

T** vuln*r**ility st*ms *rom t** p*rs* *un*tion's loop stru*tur* in li*/p*rs*.js. K*y *vi**n** in*lu**s: *. T** *ommit *i** s*ows *riti**l ***n**s to t** st**k pro**ssin* loop t**t pr*viously **us** un*oun*** m*mory *rowt* *. T** r*mov** v*li**t*-inp

7.5

Basic Information

Concerned about an active attack path?

CVE-2024-4068: Uncontrolled resource consumption in braces

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI