Security Advisories

CGA-hq78-8245-675v

Published

Last updated

https://images.chainguard.dev/security/CGA-hq78-8245-675v

Package

lerna

Latest Update

Fixed

Fixed Version

8.1.4-r0

Aliases

CVE-2024-4068
GHSA-grv7-fg5c-xmjg

Severity

7.5

High

CVSS V3

Summary

Uncontrolled resource consumption in braces

Description

The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-4068
https://github.com/advisories/GHSA-grv7-fg5c-xmjg
https://github.com/micromatch/braces/issues/35
https://github.com/micromatch/braces/pull/37
https://github.com/micromatch/braces/pull/40
https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff
https://devhub.checkmarx.com/cve-details/CVE-2024-4068
https://github.com/micromatch/braces
https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308

Updates

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

CGA-hq78-8245-675v

Severity

Summary

Description

References

Updates

Product

Why Chainguard

Customers

Company

Resources