MEDIUM · CVSS 5.3
CVE-2024-4068 — braces ReDoS (build-time DoS)
A ReDoS in the `braces` package — pulled transitively by virtually every Node project via micromatch — allowed malicious brace patterns to hang parser processes.
Affects
- braces < 3.0.3
What an attacker does
Any tool using braces to expand user-controlled patterns (CLI args, config files) can stall on a crafted pattern. Not a runtime vulnerability for most apps; a CI/build DoS for projects that allow untrusted config.
How to detect
`npm ls braces` shows the transitive graph. Anything below 3.0.3 is vulnerable.
How to fix
Run `npm update` to pull 3.0.3+. Most frameworks now pin the patched version.
Securie findingmedium · CVSS 5.3
CVE-2024-4068How Securie catches CVE-2024-4068
Securie flags the transitive chain.
Scan my repo for CVE-2024-4068 →Securie reviews every PR · proves real issues · opens verified fix PRs