CVE-2024-4068 – Denial of service (memory exhaustion) in braces

Severity: None2025-12-19

Security Advisories

Abstract

The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

The Oxygen products incorporate the npm package "braces" as a third‑party library. This advisory was opened to address the potential impact of this third‑party library vulnerability for Oxygen Content Fusion.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Content Fusion v8.1 and olderNoneOxygen Content Fusion 8.2 build 2025082116

Mitigation

None

Detail

CVE-2024-4068

Severity: High

CVSS Score: 7.5

The npm package braces, in versions prior to 3.0.3, can enter an infinite parsing loop when given imbalanced brace input. This causes unbounded heap allocations that exhaust memory and crash the process, resulting in a denial of service.

Our investigation determined that braces 3.0.2 was not included in production artifacts. No released Oxygen Content Fusion versions are affected.

Starting with Oxygen Content Fusion version 8.2 build 2025082116, the affected library was removed.

List of Security Advisories

Video Tutorials
Upcoming Events
webinar
Vibe Authoring with Oxygen AI Positron 8.0
January 21, 2026

Products

Features

Shop

Resources

Support

Company

© 2002-2025 SyncRO Soft SRL. All rights reserved.

This website was created & generated with <oXygen/>®XML Editor