CVE-2024-4068: Memory Exhaustion in braces
Published May 13, 2024
·Updated
Memory Exhaustion in braces
Affected Software
5 affected componentsFixes available
npm/braces<3.0.3
3.0.3
IBM Concert Software<=1.0.0-1.1.0
Jonschlinkert Braces Node.js<3.0.3
Microsoft cbl2 reaper 3.1.1-8
Microsoft cbl2 reaper 3.1.1-9
Remediation
Information
Update to version 3.0.3 to mitigate the issue.
Patch Available
Patch Available
Event History
May 13, 2024
CVE Published
via MITRE·10:06 AM
Data Sourced
via MITRE·10:06 AM
RemedyDescriptionSeverityWeakness
May 14, 2024
Data Sourced
via NVD·03:42 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·03:42 PM
RemedyAffected Software
Advisory Published
via GitHub·06:30 PM
May 15, 2024
Data Sourced
via Red Hat·11:10 AM
DescriptionSeverityAffected Software
May 17, 2024
Data Sourced
via Microsoft·07:00 AM
DescriptionSeverityWeakness
Data Sourced
via Microsoft·07:00 AM
Affected Software
Updated
via Microsoft·07:00 AM
Affected Software
Updated
via Microsoft·07:00 AM
DescriptionSeverity
Aug 18, 2025
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2024-4068?
CVE-2024-4068 has a high severity rating due to its potential for denial of service through memory exhaustion.
2
How do I fix CVE-2024-4068?
To fix CVE-2024-4068, upgrade the braces package to version 3.0.3 or apply relevant patches for affected IBM products.
3
What causes CVE-2024-4068?
CVE-2024-4068 is caused by the inability of the braces module to limit the number of characters in input, leading to infinite loops and memory issues.
4
Which software is affected by CVE-2024-4068?
CVE-2024-4068 affects the braces module in Node.js and IBM Cognos Analytics versions up to 12.0.3 and 11.2.4 FP4.
5
Is CVE-2024-4068 exploitable remotely?
Yes, CVE-2024-4068 can be exploited remotely if an attacker can send specially crafted imbalanced braces as input.