CWE-400 | Uncontrolled resource consumption

[archanasharma3]

Ran latest scan and landed with this issue - CWE-400 | Uncontrolled resource consumption

The NPM package "braces" fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In "lib/parse.js," if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

braces/lib/parse.js on line 308 - do {

[doowb]

@archanasharma3 could you provide the error you're seeing when the heap limit is reached and your program crashes?

The pattern length is checked here.
You could either check the pattern length before passing it to braces or handle the error in a try-catch.

There's also an option that will enforce a lower max length if you'd like to do that and catch the error.

[rahulmukherjee85]

In addition to @archanasharma3 comments,
braces flagged as vulnerable package:
Dependency npm:braces 3.0.2 is vulnerable
Cxab55612e-3a56 7.5 - CWE-400
Results powered by Checkmarx(c)
Braces is a transitive dependency of Npm-chokidar in our application.
there any way to set the limit in global level ? please let us know

[MarioTeixeiraCx]

Hello @doowb,

I'm reaching out here to confirm that this is indeed the other vulnerability reported by the Checkmarx CxResearch group. We opened this issue (micromatch/micromatch#243) after trying to reach out by email unsuccessfully. You can still find the details in the report we sent.

CVEs for both vulnerabilities will come out soon.

Thank you,
Mário Teixeira

[LoganArnett]

It looks like the description of this vulnerability is around the do/while loop for the imbalanced braces:

The NPM package "braces" fails to limit the number of characters it can handle, 
which could lead to Memory Exhaustion. In "lib/parse.js," if a malicious user sends 
"imbalanced braces" as input, the parsing will enter a loop, which will cause the 
program to start allocating heap memory without freeing it at any moment of the 
loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

[MarioTeixeiraCx]

Hello @doowb ,

CVEs for micromatch and braces vulnerabilities are now public. You can see this comment for additional details:
micromatch/micromatch#243 (comment)

Best regards,
Mário Teixeira

[sdupont73]

Does anyone know when a fix is expected for this vulnerability?

[benjsmi]

@sdupont73 -- I'm going to guess that the answer to "when is a fix coming" is probably never. The last commit to this repository was 2019. Same goes for the npm. I do not maintain this project, so I don't actually know, but we've not heard anything from the maintainers and there seems to be very little development effort, so my guess is that a replacement is a better option.

[BlueTux611]

For this issue proposed this as potential fix:

[prabhu]

So you found an infinite loop and then decided to call it a security vulnerability? The amount of time human civilization wastes with low quality CVEs is staggering.

[theta682]

I see a commit 9f5b4cf which is included in v3.0.3. Probably this means the issue is fixed.

[MarioTeixeiraCx]

Hi,

We did a PoC and can confirm that version 3.0.3 fixed the issue for CVE-2024-4068.

However, as stated here, the ReDoS vulnerability (CVE-2024-4067) still exists and can potentially be exploited if a certain library is calling the vulnerable method.

Best regards,
Mário Teixeira