Vulnerability reported in braces package that is using chokidar@3.5.3
Ashokkumar1995 opened this issue · 1 comments
Command
other
Is this a regression?
- Yes, this behavior used to work in the previous version
The previous version in which this bug was not present was
No response
Description
Hi, we are using Angular 15 in our project and recently got a vulnerability issue reported in one of the transitive dependencies used in "@angular-devkit/build-angular": "^15.2.11" package.
_Vulnerability message when we run audit:
[1/1] - pkg:npm/braces@3.0.2 - 1 vulnerability found!
Vulnerability Title: [CVE-2024-4068] CWE-1050
ID: CVE-2024-4068
Description: The NPM package braces
fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js,
if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE: CVE-2024-4068
Reference: https://ossindex.sonatype.org/vulnerability/CVE-2024-4068?component-type=npm&component-name=braces&utm_source=auditjs&utm_medium=integration&utm_content=4.0.45_
I think this will affect other angular versions as well. can we get a minor fix for angular 15 and later versions?
Minimal Reproduction
Create a angular 15 project and use this library "auditjs": "^4.0.41", to run the audit.
Exception or Error
> auditjs ossi --q && (echo 'No Vulnerabilities Found.') || (echo 'Vulnerabilities found. Please fix them before proceeding further' && exit 1)
[1/1] - pkg:npm/braces@3.0.2 - 1 vulnerability found!
Vulnerability Title: [CVE-2024-4068] CWE-1050
ID: CVE-2024-4068
Description: The NPM package `braces` fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE: CVE-2024-4068
Reference: https://ossindex.sonatype.org/vulnerability/CVE-2024-4068?component-type=npm&component-name=braces&utm_source=auditjs&utm_medium=integration&utm_content=4.0.45
Your Environment
Angular CLI: 15.2.10
Node: 16.19.1
Package Manager: npm 8.19.3
OS: win32 x64
Angular: 15.2.10
... animations, cli, common, compiler, compiler-cli, core, forms
... language-service, localize, platform-browser
... platform-browser-dynamic, router
Package Version
---------------------------------------------------------
@angular-devkit/architect 0.1502.10
@angular-devkit/build-angular 15.2.11
@angular-devkit/core 15.2.10
@angular-devkit/schematics 15.2.10
@angular/cdk 15.2.9
@angular/flex-layout 15.0.0-beta.42
@angular/material 15.2.9
@schematics/angular 15.2.10
ng-packagr 15.2.2
rxjs 6.6.7
typescript 4.8.2
Anything else relevant?
CVE-2024-4068 was recently introduced and thus the vulnerability was not reported before.