Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

braces package (version 3.0.2) #5

Closed
DOodle25 opened this issue Nov 6, 2024 · 0 comments · May be fixed by #4
Closed

braces package (version 3.0.2) #5

DOodle25 opened this issue Nov 6, 2024 · 0 comments · May be fixed by #4
Assignees
@DOodle25
Labels
dependencies Pull requests that update a dependency file

Comments

@DOodle25
Copy link
Owner

DOodle25 commented Nov 6, 2024

Vulnerability:
The braces package in DIDFrontend/package-lock.json has a memory exhaustion vulnerability. The issue arises from the package's failure to limit the number of characters it can handle during parsing.

Affected Component(s):

  • braces package (version 3.0.2)

Description:
The NPM package braces prior to version 3.0.3 is vulnerable to a memory exhaustion attack. The vulnerability occurs in lib/parse.js, where if a malicious user sends "imbalanced braces" as input, the package enters an infinite loop while attempting to parse the input. During this loop, heap memory is continuously allocated without being freed. As a result, the program eventually exceeds the JavaScript heap limit and crashes.

Severity:

  • High

Potential Impact:

  • Denial of Service (DoS) due to memory exhaustion, potentially crashing the application or making it unresponsive.

Suggested Fix:

  • Upgrade the braces package from version 3.0.2 to 3.0.3 in DIDFrontend/package-lock.json to mitigate this vulnerability.
@DOodle25 DOodle25 added the dependencies Pull requests that update a dependency file label Nov 6, 2024
@DOodle25 DOodle25 self-assigned this Nov 6, 2024
@DOodle25 DOodle25 linked a pull request Nov 6, 2024 that will close this issue
Bump braces from 3.0.2 to 3.0.3 in /DIDFrontend #4
Open
Repository owner locked and limited conversation to collaborators Nov 6, 2024
@DOodle25 DOodle25 converted this issue into discussion #6 Nov 6, 2024

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees

@DOodle25 DOodle25

Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump braces from 3.0.2 to 3.0.3 in /DIDFrontend DOodle25/DID-django
1 participant
@DOodle25