[24] Uncontrolled resource consumption in braces #444

New issue

Open

opened 2024-06-24 18:41:19 +01:00 by Helpdesk · 0 comments

Helpdesk commented 2024-06-24 18:41:19 +01:00

Member

Copy link

Package: braces (npm)
Affected versions: < 3.0.3
Patched version: 3.0.3

https://github.com/Vylpes/vylbot-app/security/dependabot/24

---

The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

Package: braces (npm) Affected versions: < 3.0.3 Patched version: 3.0.3 https://github.com/Vylpes/vylbot-app/security/dependabot/24 --- The NPM package `braces` fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js`, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

Helpdesk added the

type

alert

label 2024-06-24 18:41:27 +01:00

Vylpes added this to the 3.2.3 milestone 2024-06-24 18:48:35 +01:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

develop

feature/258-fix-tests

renovate/discord.js-14.x-lockfile

renovate/undici-5.x

hotfix/3.2.2

v3.2.2

v3.2.1

v3.2.0

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.7

v3.0.6

v3.0.5

v3.1-alpha1

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0

v3.0-rc2

v3.0-rc1

v3.0-beta2

v3.0-beta1

v2.1.3

Labels

Clear labels   

MankBot

  

PotatoBot

  

VylBot

  

blocked

  

commands

  

configuration

  

core

  

duplicate

This issue or pull request already exists

  

enhancement

New feature or request

  

events

  

good first issue

Good for newcomers

  

help wanted

Extra attention is needed

  

invalid

This doesn't seem right

  

moderation

  

needs criteria

  

needs estimate

  

question

Further information is requested

  

rules

  

type

admin

  

type

bug

Something isn't working

  

type

defect

A task that has fallen out of testing

  

type

dependencies

Pull requests that update a dependency file

  

type

documentation

Improvements or additions to documentation

  

type

epic

  

type

incident

  

type

investigation

  

type

spike

  

type

story

  

type

subtask

  

wontfix

This will not be worked on

  

blocked

  

duplicate

  

needs criteria

  

needs estimate

  

question

  

type

admin

  

type

alert

  

type

bug

  

type

defect

  

type

dependencies

  

type

design

  

type

documentation

  

type

epic

  

type

incident

  

type

investigation

  

type

spike

  

type

story

  

won't fix

No labels

MankBot

PotatoBot

VylBot

blocked

commands

configuration

core

duplicate

enhancement

events

good first issue

help wanted

invalid

moderation

needs criteria

needs estimate

question

rules

type

admin

type

bug

type

defect

type

dependencies

type

documentation

type

epic

type

incident

type

investigation

type

spike

type

story

type

subtask

wontfix

blocked

duplicate

needs criteria

needs estimate

question

type

admin

type

alert

type

bug

type

defect

type

dependencies

type

design

type

documentation

type

epic

type

incident

type

investigation

type

spike

type

story

won't fix

Milestone

Clear milestone

No items

No milestone

3.2.3

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: RabbitLabs/vylbot-app#444

No description provided.