Vulnerability reported in braces package that is using chokidar@3.5.3

[Ashokkumar1995]

Command

other

Is this a regression?

• Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

Hi, we are using Angular 15 in our project and recently got a vulnerability issue reported in one of the transitive dependencies used in "@angular-devkit/build-angular": "^15.2.11" package.

_Vulnerability message when we run audit:
[1/1] - pkg:npm/braces@3.0.2 - 1 vulnerability found!
Vulnerability Title: [CVE-2024-4068] CWE-1050
ID: CVE-2024-4068
Description: The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE: CVE-2024-4068
Reference: https://ossindex.sonatype.org/vulnerability/CVE-2024-4068?component-type=npm&component-name=braces&utm_source=auditjs&utm_medium=integration&utm_content=4.0.45_

.

I think this will affect other angular versions as well. can we get a minor fix for angular 15 and later versions?

Minimal Reproduction

Create a angular 15 project and use this library "auditjs": "^4.0.41", to run the audit.

Exception or Error

> auditjs ossi --q && (echo 'No Vulnerabilities Found.') || (echo 'Vulnerabilities found. Please fix them before proceeding further' && exit 1)
[1/1] - pkg:npm/braces@3.0.2 - 1 vulnerability found!
  Vulnerability Title:  [CVE-2024-4068] CWE-1050
  ID:  CVE-2024-4068
  Description:  The NPM package `braces` fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
  
  CVSS Score:  7.5
  CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  CVE:  CVE-2024-4068
  Reference:  https://ossindex.sonatype.org/vulnerability/CVE-2024-4068?component-type=npm&component-name=braces&utm_source=auditjs&utm_medium=integration&utm_content=4.0.45

Your Environment

Angular CLI: 15.2.10
Node: 16.19.1
Package Manager: npm 8.19.3
OS: win32 x64

Angular: 15.2.10
... animations, cli, common, compiler, compiler-cli, core, forms
... language-service, localize, platform-browser
... platform-browser-dynamic, router

Package                         Version
---------------------------------------------------------
@angular-devkit/architect       0.1502.10
@angular-devkit/build-angular   15.2.11
@angular-devkit/core            15.2.10
@angular-devkit/schematics      15.2.10
@angular/cdk                    15.2.9
@angular/flex-layout            15.0.0-beta.42
@angular/material               15.2.9
@schematics/angular             15.2.10
ng-packagr                      15.2.2
rxjs                            6.6.7
typescript                      4.8.2

Anything else relevant?

CVE-2024-4068 was recently introduced and thus the vulnerability was not reported before.

[alan-agius4]

Thanks for this issue, unfortunately this is not actionable from our end. It’s worth mentioning that this vulnerability cannot be exploited when using the Angular CLI, as users cannot provide RegExp to the file watcher.

Please see: paulmillr/chokidar#1314