CVE-2024-4068 – The braces NPM package versions before 3.0.3 co... (How to Fix)

Q: What is the severity of CVE-2024-4068?

CVE-2024-4068 has a CVSS score of 7.5 (HIGH). The braces NPM package versions before 3.0.3 contain a memory exhaustion vulnerability where specially crafted input with imbalanced braces causes infinite memory allocation, leading to application crashes. This affects any application using vulnerable versions of the braces library for pattern expansion. Attackers can cause denial of service by sending malicious input to applications that process user-controlled patterns.

📋 TL;DR

The braces NPM package versions before 3.0.3 contain a memory exhaustion vulnerability where specially crafted input with imbalanced braces causes infinite memory allocation, leading to application crashes. This affects any application using vulnerable versions of the braces library for pattern expansion. Attackers can cause denial of service by sending malicious input to applications that process user-controlled patterns.

💻 Affected Systems

Products:

braces NPM package

Versions: All versions before 3.0.3

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using braces for pattern expansion with user-controlled input is vulnerable. The vulnerability is in the parsing logic itself, not configuration-dependent.

📦 What is this software?

Braces by Jonschlinkert

View all CVEs affecting Braces →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service causing application crashes and potential service disruption across affected systems, with possible cascading failures in dependent services.

🟠

Likely Case

Application crashes and denial of service for affected endpoints, requiring manual restart of services and potential data loss for in-memory operations.

🟢

If Mitigated

Minimal impact with proper input validation and memory limits in place, potentially causing degraded performance but preventing complete crashes.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted input with imbalanced braces to applications that process patterns. The vulnerability is simple to trigger with minimal technical knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.3

Vendor Advisory: https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff

Restart Required: Yes

Instructions:

1. Update package.json to specify braces version 3.0.3 or higher. 2. Run 'npm update braces' or 'yarn upgrade braces'. 3. Restart all affected applications and services.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement input validation to reject patterns with imbalanced braces before passing to braces library

Memory limit enforcement

all

Set Node.js heap memory limits and implement process monitoring to restart on memory exhaustion

node --max-old-space-size=512 your-app.js

🧯 If You Can't Patch

Implement strict input validation to reject any patterns containing braces that don't have matching pairs
Deploy rate limiting and WAF rules to block patterns with excessive braces or suspicious patterns

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for braces version. Run 'npm list braces' or check node_modules/braces/package.json

Check Version:

npm list braces | grep braces

Verify Fix Applied:

Confirm braces version is 3.0.3 or higher. Test with known malicious patterns containing imbalanced braces to ensure no memory exhaustion occurs.

📡 Detection & Monitoring

Log Indicators:

Application crashes with 'JavaScript heap out of memory' errors
Unusual memory consumption spikes in monitoring
Repeated application restarts

Network Indicators:

Patterns with excessive braces in HTTP requests
Repeated requests with similar malformed patterns

SIEM Query:

source="application.logs" AND ("heap out of memory" OR "FATAL ERROR: Reached heap limit") AND process="node"

📊 Metadata

CVE ID: CVE-2024-4068

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1050

Published: May 14, 2024

Last Updated: December 31, 2025

🔗 References

https://devhub.checkmarx.com/cve-details/CVE-2024-4068/ Third Party Advisory
https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff Patch
https://github.com/micromatch/braces/issues/35 Issue Tracking
https://github.com/micromatch/braces/pull/37 Exploit,Issue Tracking,Patch
https://github.com/micromatch/braces/pull/40 Issue Tracking,Patch
https://devhub.checkmarx.com/cve-details/CVE-2024-4068/ Third Party Advisory
https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff Patch
https://github.com/micromatch/braces/issues/35 Issue Tracking
https://github.com/micromatch/braces/pull/37 Exploit,Issue Tracking,Patch
https://github.com/micromatch/braces/pull/40 Issue Tracking,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-4068, you might also want to check these: