Bug ID 1224310
Summary VUL-0: CVE-2024-4068: xpra-html5: the npm package `braces` fails to limit the number of characters it can handle, which could lead to Memory Exhaustion
Classification openSUSE
Product openSUSE Distribution
Version Leap 15.6
Hardware Other
URL https://smash.suse.de/issue/405385/
OS Other
Status NEW
Severity Major
Priority P5 - None
Component Security
Assignee scott.bradnick@suse.com
Reporter smash_bz@suse.de
QA Contact security-team@suse.de
CC gabriele.sonnu@suse.com
Target Milestone ---
Found By Security Response Team
Blocker ---

The NPM package `braces` fails to limit the number of characters it can handle,
which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user
sends "imbalanced braces" as input, the parsing will enter a loop, which will
cause the program to start allocating heap memory without freeing it at any
moment of the loop. Eventually, the JavaScript heap limit is reached, and the
program will crash.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-4068
https://www.cve.org/CVERecord?id=CVE-2024-4068
https://devhub.checkmarx.com/cve-details/CVE-2024-4068/
https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308
https://github.com/micromatch/braces/issues/35


You are receiving this mail because: