Skip to content

fix: braces: fails to limit the number of characters it can handle#35

Draft
galanko wants to merge 1 commit into
masterfrom
opensec/fix/braces-2.3.2-cve-2024-4068
Draft

fix: braces: fails to limit the number of characters it can handle#35
galanko wants to merge 1 commit into
masterfrom
opensec/fix/braces-2.3.2-cve-2024-4068

Conversation

@galanko

@galanko galanko commented May 15, 2026

Copy link
Copy Markdown

Summary

Automated remediation for CVE-2024-4068: braces fails to limit the number of characters it can handle

Changes

Vulnerability Details

  • CVE: CVE-2024-4068
  • Severity: HIGH (CVSS 7.5)
  • Issue: Memory exhaustion via imbalanced braces input
  • Affected Version: braces < 3.0.3

Root Cause

The vulnerable version braces@2.3.2 was introduced transitively through:

  • nodemon@3.0.1 → chokidar@2.1.8 → micromatch@3.1.10 → braces@2.3.2
  • forever@4.0.3 → forever-monitor@3.0.3 → chokidar@2.1.8 → braces@2.3.2

Fix Applied

  1. Updated nodemon from ^3.0.1 to ^3.1.0

    • Brings in chokidar@3.6.0 which depends on braces@3.0.3+
  2. Added npm override for braces to >=3.0.3

    • Forces braces@3.0.3+ across ALL dependencies in the tree
    • Overrides instances that would otherwise pull braces@2.3.2 or @1.8.5

Verification

✅ All braces@2.3.2 instances replaced with braces@3.0.3
✅ No braces@2.3.2 in dependency tree
✅ Unit tests pass
✅ No breaking changes to application functionality
✅ Normal braces parsing works correctly

Files Modified

  • package.json: Updated nodemon version, added braces override
  • package-lock.json: Regenerated with updated dependencies

Generated by OpenSec remediation agent

Remediation for CVE-2024-4068: Update nodemon to ^3.1.0 and add npm override
for braces to >=3.0.3 to prevent memory exhaustion vulnerability.

- Updated nodemon from ^3.0.1 to ^3.1.0 (brings chokidar with braces@3.0.3)
- Added npm override to force braces@3.0.3+ across all dependencies
- All vulnerable instances of braces@2.3.2 replaced with braces@3.0.3
- Tests pass successfully with updated dependencies
- No breaking changes to application functionality

Fixes: CVE-2024-4068 (CVSS 7.5)
Affects: braces < 3.0.3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant