GHSA-grv7-fg5c-xmjg · Severity: high · Ecosystem: npm — Uncontrolled resource consumption in braces
The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Conclusion & alert: CVE-2024-4068 is rated High Exploit Risk (70.8/100): CVSS High severity, with medium exploitation likelihood (EPSS 1.47%). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). EPSS rose +1.20% over the last day, indicating growing attacker interest. Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.27% | 1.47% | +1.20% |
| 2 | 2026-06-01 | 0.20% | 0.27% | +0.07% |
| 3 | 2025-12-04 | — | 0.20% | — |
Full EPSS history (28 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | 596c5446-0ce5-4ba2-aa66-48b3b757a647 |
GHSA-grv7-fg5c-xmjg · Severity: high · Ecosystem: npm — Uncontrolled resource consumption in braces
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2024-4068 not yet assigned priority: Debian including 1 source packages (node-braces), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 3, open 2. | https://security-tracker.debian.org/tracker/CVE-2024-4068 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2024-4068 |
suse
|
high | CVE-2024-4068 severity important: SUSE including 70 source package names (cockpit, cockpit-bridge, …), 468 product×package rows across 51 product lines (SUSE Enterprise Storage 7.1, SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS, … (51 product lines)): Known Not Affected 392, Fixed 76. | https://www.suse.com/security/cve/CVE-2024-4068/ |
ubuntu
|
medium | CVE-2024-4068 medium priority: Ubuntu including 1 source packages (node-braces), 9 status rows across 9 suites (bionic, focal, jammy, mantic, noble, oracular, plucky, questing, upstream): needs-triage 6, ignored 3. | https://ubuntu.com/security/CVE-2024-4068 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| jonschlinkert | braces | < 3.0.3 | cpe:2.3:a:jonschlinkert:braces:*:*:*:*:*:node.js:*:* |
| URL | Tags |
|---|---|
| https://devhub.checkmarx.com/cve-details/CVE-2024-4068/ | Third Party Advisory |
| https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff | Patch |
| https://github.com/micromatch/braces/issues/35 | Issue Tracking |
| https://github.com/micromatch/braces/pull/37 | Exploit Issue Tracking Patch |
| https://github.com/micromatch/braces/pull/40 | Issue Tracking Patch |