You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Yes, this behavior used to work in the previous version
The previous version in which this bug was not present was
No response
Description
Hi, we are using Angular 15 in our project and recently got a vulnerability issue reported in one of the transitive dependencies used in "@angular-devkit/build-angular": "^15.2.11" package.
_Vulnerability message when we run audit:
[1/1] - pkg:npm/braces@3.0.2 - 1 vulnerability found!
Vulnerability Title: [CVE-2024-4068] CWE-1050
ID: CVE-2024-4068
Description: The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
I think this will affect other angular versions as well. can we get a minor fix for angular 15 and later versions?
Minimal Reproduction
Create a angular 15 project and use this library "auditjs": "^4.0.41", to run the audit.
Exception or Error
> auditjs ossi --q && (echo 'No Vulnerabilities Found.') || (echo 'Vulnerabilities found. Please fix them before proceeding further' && exit 1)
[1/1] - pkg:npm/braces@3.0.2 - 1 vulnerability found!
Vulnerability Title: [CVE-2024-4068] CWE-1050
ID: CVE-2024-4068
Description: The NPM package `braces` fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE: CVE-2024-4068
Reference: https://ossindex.sonatype.org/vulnerability/CVE-2024-4068?component-type=npm&component-name=braces&utm_source=auditjs&utm_medium=integration&utm_content=4.0.45
Thanks for this issue, unfortunately this is not actionable from our end. It’s worth mentioning that this vulnerability cannot be exploited when using the Angular CLI, as users cannot provide RegExp to the file watcher.
Command
other
Is this a regression?
The previous version in which this bug was not present was
No response
Description
Hi, we are using Angular 15 in our project and recently got a vulnerability issue reported in one of the transitive dependencies used in "@angular-devkit/build-angular": "^15.2.11" package.
_Vulnerability message when we run audit:
[1/1] - pkg:npm/braces@3.0.2 - 1 vulnerability found!
Vulnerability Title: [CVE-2024-4068] CWE-1050
ID: CVE-2024-4068
Description: The NPM package
braces
fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. Inlib/parse.js,
if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE: CVE-2024-4068
Reference: https://ossindex.sonatype.org/vulnerability/CVE-2024-4068?component-type=npm&component-name=braces&utm_source=auditjs&utm_medium=integration&utm_content=4.0.45_
.
I think this will affect other angular versions as well. can we get a minor fix for angular 15 and later versions?
Minimal Reproduction
Create a angular 15 project and use this library "auditjs": "^4.0.41", to run the audit.
Exception or Error
Your Environment
Anything else relevant?
CVE-2024-4068 was recently introduced and thus the vulnerability was not reported before.
The text was updated successfully, but these errors were encountered: