NodeJS/braces/0.1.5
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
https://www.npmjs.com/package/braces
MIT
3 Security Vulnerabilities
Regular Expression Denial of Service (ReDoS) in braces
A vulnerability was found in Braces versions prior to 2.3.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
Regular Expression Denial of Service in braces
Versions of braces
prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.
Recommendation
Upgrade to version 2.3.1 or higher.
Uncontrolled resource consumption in braces
- https://nvd.nist.gov/vuln/detail/CVE-2024-4068
- https://github.com/micromatch/braces/issues/35
- https://devhub.checkmarx.com/cve-details/CVE-2024-4068
- https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308
- https://github.com/micromatch/braces/pull/37
- https://github.com/micromatch/braces/pull/40
- https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff
- https://github.com/advisories/GHSA-grv7-fg5c-xmjg
The NPM package braces
fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js,
if a malicious user sends imbalanced braces
as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
37 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
2.3.1 | MIT | 1 | 2018-02-18 - 04:16 | over 6 years |
3.0.2 | MIT | 1 | 2019-04-16 - 19:51 | over 5 years |
2.3.2 | MIT | 1 | 2018-04-08 - 14:21 | over 6 years |
3.0.0 | MIT | 1 | 2019-04-08 - 22:47 | over 5 years |
3.0.1 | MIT | 1 | 2019-04-10 - 11:30 | over 5 years |
1.0.0 | MIT | 3 | 2014-12-23 - 11:35 | over 9 years |
1.1.0 | MIT | 3 | 2015-01-12 - 00:45 | over 9 years |
1.2.0 | MIT | 3 | 2015-01-16 - 11:55 | over 9 years |
0.1.4 | MIT | 3 | 2014-11-15 - 03:24 | almost 10 years |
1.4.0 | MIT | 3 | 2015-01-25 - 00:33 | over 9 years |
1.5.0 | MIT | 3 | 2015-01-28 - 18:08 | over 9 years |
1.5.1 | MIT | 3 | 2015-01-30 - 13:27 | over 9 years |
1.6.0 | MIT | 3 | 2015-01-30 - 13:35 | over 9 years |
1.7.0 | MIT | 3 | 2015-01-31 - 00:24 | over 9 years |
0.1.1 | MIT | 3 | 2014-10-22 - 18:19 | almost 10 years |
1.8.1 | MIT | 3 | 2015-08-21 - 10:17 | about 9 years |
1.8.2 | MIT | 3 | 2015-10-19 - 17:46 | almost 9 years |
1.8.3 | MIT | 3 | 2015-12-19 - 23:03 | almost 9 years |
1.8.4 | MIT | 3 | 2016-04-20 - 08:24 | over 8 years |
1.8.5 | MIT | 3 | 2016-05-21 - 15:13 | over 8 years |
2.0.0 | MIT | 3 | 2016-10-20 - 01:32 | almost 8 years |
2.0.1 | MIT | 3 | 2016-10-20 - 21:05 | almost 8 years |
2.0.2 | MIT | 3 | 2016-10-21 - 06:46 | almost 8 years |
2.0.3 | MIT | 3 | 2016-12-11 - 01:13 | almost 8 years |
0.1.0 | MIT | 3 | 2014-10-20 - 16:26 | almost 10 years |
0.1.2 | MIT | 3 | 2014-10-22 - 18:51 | almost 10 years |
0.1.5 | MIT | 3 | 2014-11-24 - 02:08 | almost 10 years |
1.3.0 | MIT | 3 | 2015-01-24 - 11:32 | over 9 years |
1.8.0 | MIT | 3 | 2015-03-18 - 11:37 | over 9 years |
2.0.4 | MIT | 3 | 2017-04-12 - 01:12 | over 7 years |
2.2.1 | MIT | 3 | 2017-05-31 - 01:21 | over 7 years |
2.1.1 | MIT | 3 | 2017-04-27 - 08:10 | over 7 years |
2.3.0 | MIT | 3 | 2017-10-19 - 13:37 | almost 7 years |
2.1.0 | MIT | 3 | 2017-04-26 - 22:39 | over 7 years |
2.2.0 | MIT | 3 | 2017-05-28 - 23:30 | over 7 years |
2.2.2 | MIT | 3 | 2017-05-31 - 09:56 | over 7 years |
3.0.3 | MIT | 2024-05-21 - 08:59 | 4 months |