MEDIUM · CVSS 5.3Disclosed 2024-05-14

CVE-2024-4068 — braces ReDoS (build-time DoS)

A ReDoS in the `braces` package — pulled transitively by virtually every Node project via micromatch — allowed malicious brace patterns to hang parser processes.

Affects

braces < 3.0.3

What an attacker does

Any tool using braces to expand user-controlled patterns (CLI args, config files) can stall on a crafted pattern. Not a runtime vulnerability for most apps; a CI/build DoS for projects that allow untrusted config.

How to detect

`npm ls braces` shows the transitive graph. Anything below 3.0.3 is vulnerable.

How to fix

Run `npm update` to pull 3.0.3+. Most frameworks now pin the patched version.

How Securie catches it

Securie flags the transitive chain.

References

GHSA-grv7-fg5c-xmjg